The Skysnag Blog
Having a DMARC record with p=none is like having no DMARC record. Without enforcement (p=none), domain owners only receive data on who is spoofing them; they watch these attackers through reporting tools without doing anything to block them. It is like having an access management system that scans IDs but lets anyone in, even if the ID scan results in an unidentified individual. The DMARC policy identified with a p is the most crucial part of DMARC enforcement because it gives domain owners the ability to specify how they would like to handle emails that fail authentication checks. With DMARC enforcement (p=reject), domain owners can tell email clients to send unauthenticated messages to the spam folder or to block them altogether.
Sometimes the p=none can lead to a negative effect. The image above showcases a flagged message by a mail client that can show to your recipients when you send out an email if you have a DMARC record with p=none.
What are the DMARC policies?
DMARC policies allow domain owners to specify what they wish to happen with emails that fail SPF & DKIM authentication checks.
- p=none — No enforcement; mail that fails authentication is typically delivered.
- p=quarantine — Messages that fail authentication are delivered to spam.
- p=reject — Messages that fail authentication are blocked by mail clients and not delivered. Some receivers honor this request, while others mark failing messages as spam.
p=none is a monitoring mode policy that provides no enforcement, thus leaving a domain spoofable. This policy is used in test mode to troubleshoot any authentication misconfiguration with third-party senders without the risk of losing good email.
To stop phishing and impersonation attacks, you need to set DMARC to enforcement (p=quarantine or p=reject), not p=none.
p=none generates a lot of raw data that could be useful, but the anti-impersonation/phishing benefits of DMARC become activated only at enforcement. At enforcement, only the authorized senders using your domain can send out an email on your behalf; anyone else is sent to the spam or rejected delivery.
In p=none mode, domain owners can use the reports sent by mail clients to identify which IP addresses are trying to use their domain to send fraudulent emails. The information provided through the reports should be turned into actionable insight to get the domain on p=reject, which is the actual technical challenge.
Unfortunately, most companies that attempt DMARC don’t reach enforcement. Around 80% of companies with a published DMARC record are not on p=reject. It is either because they have misconfiguration issues, face technical challenges with their email senders, or have misunderstood DMARC and think having a DMARC record is sufficient for spoofing protection.
Skysnag removes the tedious DNS process from the email authentication protocols by enhancing the records into dynamic formats instead of static DNS records, thus allowing businesses to close this email loophole autonomously while saving hours off of engineers’ time.
Skysnag is the first fully automated DMARC enforcement software that goes beyond static reporting tools.
DMARC can improve deliverability by helping ISPs make delivery decisions based on the sending domain’s reputation.
Risks a company with no DMARC enforcement faces
- Email Impersonation
With a policy of p=none, attackers can still impersonate a domain name freely, so anyone can use the domain name to send out an email, putting customers, partners, and other stakeholders at high risk of:
- Financial Loss
- Reputation Damage
- Emails landing in Spam (Detailed Explanation in Email, a System not a Mystery)
With no DMARC enforcement, Internet Service Providers will not be able to identify whether or not messages are passing or failing authentication, so they won’t know what to do with messages which might drive messages to end up in spam.
With the domain being vulnerable/prone to email impersonation and attackers having the door open to using your domain, email clients will start flagging your domain which might have adverse consequences severely in the long term such as:
- Customers Churning
- Inefficient Marketing Spend
Email, a system not a mystery
Email runs on SMTP code written in 1982. Starting an SMTP server back then was not feasible for anyone, whereas starting an SMTP server today can be done within 2 minutes. This manifested the loophole SMTP always had, which is email impersonation, whereby sending an email can be triggered from any domain name by any SMTP server. Email impersonation bypasses security and compliance measures and has a high attack success rate as it comes from the exact domain name. (The losses accounted for so far behind those attacks are 46x bigger than ransomware according to the FBI). You might be a business with no money-associated risks behind such impersonation threats, but have you thought about your domain value? The value of your domain name decreases with time whereby attackers can still freely use your domain to send out anything to anyone. They use your domain name to send out phishing emails, scam emails, or even emails containing malware. (The last two mentioned categories account for 90% of all cybercrime).
So is spam. Not a mystery
The root of spam is failing to enforce email authentication and DMARC. A domain name that has followed all the necessary best practices and has always landed in the inbox, in theory, has a high email reputation. So logically, there is no reason a mail client should ever flag and place your emails into spam, but they might be without DMARC enforcement.
How is this possible?
That domain name might get picked up by a malicious server, which uses it to send mail to random lists – because of the high reputation that domain has. Those nasty emails initially land in the inbox. Still, as sending requests increases, mail clients drive down the reputation of that domain name, to later initiate flagging emails from that domain as spam.
As the activities cannot be tracked unless the domain owner reads through SMTP requests, authentication requests, and DMARC XML files, domain owners are left clueless about what happened.
1 in every three domain names connecting to Skysnag notices more than 100 emails sent from unknown servers in the first 48 hours of connecting.
What happens if no action is taken?
In severe cases of unauthorized usage, mail clients go beyond spam and revert to listing your domain name under a blacklist. A blacklist will cause emails to be blocked from ever reaching most of the mail clients out there.
We built Skysnag to put your domain on-to enforcement policies with minimal effort. Most of the tools on the market are reporting means that cannot enforce DMARC, highlighting that enforcement to p=reject is the real challenge you will face. Skysnag is the only software that automates DMARC enforcement. Reporting tools have proved useless, which is why most domains are not enforced.