The Skysnag Blog

Ten DMARC myths ready to be debunked 

September 7, 2023  |  6 min read

The internet is a great resource for finding information on a variety of topics; however, it is important to be aware that not all information on the internet is accurate. There are a lot of myths and false information on the internet about DMARC. It can be hard to tell what is true and what is false. This article will debunk some of the DMARC myths.

Misconception #1: DMARC is Easy to Deploy 

We have implemented DMARC in numerous spaces and are aware of the ins and out of this system. So let us tell you, it’s not something you can handle on your own. Many sites will tell you otherwise. 

They will tell you that to start, all you require is to publish a DMARC record. It sounds easy. After all, DMARC is a public specification that everyone can implement at no cost. But the truth is Email security is no joke, and technical tools like DMARC require expertise.

Create a Skysnag account to generate your DMARC record.

DMARC reports are difficult to parse and correlate. You will be surprised to discover that even individual email systems are complex to handle. So, imagine how cumbersome it will be to manage and monitor the communication ecosystem of a full-fledged organization. Not only does it drain the workforce, but it will cost you more if you try to tackle it in-house.

So it’s advised to stay away from DIY DMARC projects as they fail to reach proper DMARC enforcement. This means that even though you think you have successfully applied DMARC, it doesn’t protect you from any spoofing or phishing attacks. This is one of the most extensive DMARC myths.

Misconception #2. An Established Record is all that you need for the protection 

Yes, establishing the DMARC record has supported 5 billion inboxes globally in detecting email attacks. So you might think that by setting a DMARC record, you will be safe from spam as well.

But No. The thing is that just setting up a DMARC won’t help. It’s only the first step to mitigating the risk of being attacked. Even though setting up a DMARC record does help senders and receivers detect spoofing emails, it cannot enforce anything on its own. It requires both reporting and policy enforcement to be fully effective. 

Unless the record has proper policies in place, it will be useless. So organizations need to not only establish records but also configure them. For example, they need to decide whether to quarantine or reject unsolicited mail. Establishing records is excellent, but you need to enforce it further to protect your email-sending environment ultimately.

Unfortunately, many businesses don’t know how to do this, and many organizations still have the DMARC policy of p=none setup. This is why only 34% of renowned organizations in the USA are entirely protected, as they have a policy of p=reject in place. 

Misconception #3: SPF and DKIM are Enough

As most email owners are non-tech people, they don’t know how vital DMARC is. They think SPF and DKIM are enough for protection. But the truth be told, DMARC (Domain-based Message Authentication, Reporting, and Conformance) tops all of it. 

It is a modern email authentication system that complements SPF and DKIM, and together they strengthen your email security. Nowadays, most email servers, such as Office 365 and Google Workspace, use DMARC and other authentication systems. 

 Most email gateways use DMARC because SPF and DKIM don’t provide enough information when making delivery decisions. They are not enough on their own and require DMARC and other engagement details to function correctly.

Misconception #4: Office 365 already supports DMARC 

Just because you use Office 365 and it supports DMARC doesn’t free you from your security responsibility. Remember, the DMARC authentication provided by these email servers checks inbound emails for authentication but does not provide DMARC enforcement for your domain. Therefore, they won’t offer you visibility like your own DMARC enforcement, nor can they authenticate other on-prem services you use to send emails.

The critical difference is that Office 365 supports DMARC but doesn’t implement it. So it would be best if you implemented DMARC by hiring an expert. 

Misconception #5: DMARC will hinder my mail setup and email marketing

DMARC only strengthens your security. It doesn’t lead to any hindrance because it is fully compatible with all email gateways. Be it on-prem or cloud-based, DMARC doesn’t stop any mail flow. 

Moreover, DMARC makes your marketing efforts more efficient. It enhances your marketing emails as they are correctly authenticated. The only challenge is that you need to implement it properly by first identifying all marketing mail and then authenticating them so that they are not quarantined or rejected. You can do this by allowing an expert to set up marketing email authentification with just one click. 

Misconception #6: DMARC is a Tedious Security Project

First of all, DMARC is not just a security project. It is a cross-functional IT, Compliance, Marketing, and Security project. So it’s not just for stopping malicious emails but also helps you enhance your email delivery and raise brand impressions.

Moreover, DMARC is not tedious if you stop trying to enforce it on your own. Yes, it is technical, and the reports it produces are not readable, but the fact is that you don’t need to read them. So instead of manually parsing it, it is best to leave it in the hands of experts.

If you leave DMARC projects just because they are time-consuming and complex, you cost your organization a lot. With the right tools and help, you can configure DMARC and make the most out of it.

Misconception #7: DMARC doesn’t work for too Many Domains, 

This is one of the most prevalent DMARC myths that hinder its deployment. Many people think that having domains means a DMARC setup is not possible or it would be too complex. On the contrary, DMARC, if appropriately implemented, can secure thousands of domains without a hiccup.  

Just because an organization has thousands of domains across the globe doesn’t mean it should be deterred from employing DMARC. In fact, DMARC is even more essential for such businesses as their chances of falling prey are higher due to many unprotected domains. This means they are a soft target and need DMARC enforcement immediately. 

 So simply ignoring DMARC just because you have multiple domains isn’t the answer. Many businesses that own extensive domain portfolios and communicate with countless vendors maintain secure visibility and policy enforcement via DMARC. Don’t let this myth undermine DMARC’s efforts to thwart attacks. It works and works quite well with many domains. Period!

Misconception #8: DMARC is Costly 

You might think DMARC services cost a lot. But not implementing it costs even more. Yes, to save a few dollars, you would be putting your organization’s security in jeopardy. Moreover, the price of DMARC packages varies from service to service. You can find tools that provide reasonable rates along with excellent service.

Moreover, the cost of DMARC also differs depending upon the size of your organization. You can find solutions that fit any sized business, non-profit agency, or governmental organization according to their budget. The price won’t matter once you begin reaping the efficiencies and protection that DMARC brings. The benefits will outweigh the cost!

Misconception #9: DMARC Always Works

If you think DMARC can prevent all attacks, then you are wrong. Yes, it is a very sophisticated tool that provides a strong layer for authentication technologies already in use, such as SPF and DKIM. However, DMARC can only offer you secure email gateways if configured correctly.

DMARC is ideal for outbound phishing protection only if it is implemented by experts. . Moreover, DMARC is just the beginning. You must continually enforce it and monitor your email ecosystem for 100% security.

Lastly, even when configured properly, it won’t be able to prevent attacks like spear-phishing as these leverage Display Name Imposters for which DMARC has no defense. So even though DMARC is very beneficial, it’s a myth that it is successful at all times.

Misconception #10: Don’t send emails? No need for DMARC

If you think you are safe from scammers just because you don’t use your domain to send emails, you are wrong. Even non-sending domains get targeted by cybercriminals, especially if they leverage well-known brands or individuals.  

If you don’t send emails from your domain, you still need to protect it so that others don’t use it to lure users. Phishing and impersonation have become so common, and email receivers can’t even identify when a malicious email is sent via a domain not configured to send emails. If your users think it’s you, it can put your reputation at risk.


We have not listed down these misconceptions to scare you away. Instead, we want to clear the air so that you know what you are getting and make the most out of it. Once you have debunked all the DMARC myths, you will be able to understand and apply them better.

So don’t give up on DMARC just because some less knowledgeable people spread DMARC myths. It is a handy tool that can help protect your organization in these testing times when security risks are on the rise. So give it a try with Skysnag and experience its protection yourself.

Check your domain’s DMARC security compliance

Enforce DMARC, SPF and DKIM in days - not months

Skysnag helps busy engineers enforce DMARC, responds to any misconfigurations for SPF or DKIM which increases email deliverability, and eliminates email spoofing and identity impersonation.