DMARC monitoring provides efficient visibility and protection for growing organisations
Executive Summary
Email remains the primary attack vector for phishing, fraud, and impersonation attempts, underlining the importance of robust email authentication and monitoring controls.
Correctly configuring DMARC is an important step towards ensuring a more secure and resilient online presence for any organisation.
Structured DMARC monitoring should be a core security control in your organisation to improve visibility of domain usage and protect against impersonation.
Our Active Cyber Defence & Deterrence (ACD+) services provide
structured operational measures to prevent, detect,
disrupt and deter hostile digital activity.
Contact us now to learn more.
Email Threat Landscape
Email remains a primary channel of communication for many organisations and a principal component for cyber attacks. Threat actors exploit domains that are not actively monitored or protected by an implemented DMARC protection policy. Email attacks are designed to exploit trust in the identity of the organisation leading to reputational damage, financial losses, and a decrease in customer trust.
The case studies below explore email-related risk and targeting in greater depth:
Complex investigation of organised crime group behind authorised push payment fraud
Ultra High Risks and Ultra High Impact: Security for Ultra High Net Worth Individuals
Combined complex investigation and online exposure assessment
Importance of DMARC Monitoring
Applying DMARC rules in your workspace is a crucial step in protecting your organisation’s email domains. Correct DMARC configuration should be thought of as a basic component of good cyber hygiene, helping with domain and delivery reputation.
Most organisations stop at correctly configuring their mail system. However, from a security perspective, the real benefit comes when DMARC monitoring is implemented for threat monitoring and detection.
Continuous monitoring and analysis of reports is critical to deriving maximum value from DMARC. Analysis of monitoring provides visibility into email sources that use the domain of the organisation. This provides insights into malicious infrastructure, misconfigured systems, and illegitimate senders.
Benefits for start-ups and growing organisations
Organisations should implement DMARC monitoring early on in their development where possible. As startups grow, their digital infrastructure tends to expand rapidly and in ad hoc manner, as the organisation develops its own services and uses those of third-parties. It can be difficult to keep track of systems configured to use domain-authorised third-party senders and external mail sources such as alerts, newsletters, and automated mail.
Setting up DMARC monitoring early in the company's life allows the organisation to keep track of this growing range of mail-related services and manage the infrastructure running behind the scenes. This supports a more mature security posture and reduces email-related threats.
DMARC monitoring can be a cost-effective solution
Domain reports contain a large amount of information. Extracting and analysing the data provides a breakdown of source IP addresses, the domain and header, as well as the reporting organisations. Continuous monitoring enables patterns to be distinguished to help differentiate malicious behaviour and detect threats.
Companies often rely on expensive services from third-party providers to implement DMARC monitoring. However, with a little guidance there is no reason why most organisations cannot configure and monitor their own infrastructure. DMARC monitoring uses existing email frameworks such as your organisational workspace, allowing extended protection without additional investment from external platforms.
Configuration can be highly customisable to suit business needs and implementation can be straightforward without interrupting business flow to provide external threat visibility without deploying additional tools or complex systems. In-house monitoring is cost-efficient and allows for an approach more tailored to the organisation’s circumstances and use cases.
Our Retained & Strategic Monitoring services provide
ongoing visibility, exposure and surface monitoring
including ongoing mapping of organisational
and executive exposure across digital ecosystems
to identify drift, misconfiguration and emerging risk.
Contact us now to arrange support for strategic alignment and rapid response capability.
Conclusions and recommendations
DMARC reporting delivers risk reduction with minimal investment.
DMARC monitoring builds on existing infrastructure and leverages a native functionality from current email providers.
It provides immediate visibility without compromising organisational continuity.
DMARC monitoring should be continuous and automated.
This enables persistent visibility into domain usage and situational awareness of email-based threats.
Continued monitoring enables early detection of impersonation threats.
DMARC implementation should be integrated with broader external attack surface and domain monitoring initiatives.
DMARC provides a valuable source of intelligence when integrated into a wider domain and external attack surface monitoring programme.
Implementing DMARC monitoring early in startups and growing companies helps track the expansion of digital estate as the organisation grows.
Technical Overview
Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email security standard established to prevent malicious actors from engaging in domain impersonation.
DMARC works alongside two concurrent technologies; SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail):
Sender Policy Framework (SPF) is an email authentication protocol that verifies if a sending server is authorised. To achieve this, the domain owner publishes information about authorised IP addresses and host names in a DNS record. The receiving server uses the SPF protocol to evaluate whether the email was received from an authorised host.
DomainKeys Identified Mail (DKIM) is an email authentication protocol that acts as a ‘seal’ to guarantee integrity of outgoing mail. Making use of a cryptographic signature with public-keys to outgoing emails it allows the receiving servers to verify that the email was sent by the claimed domain and that it was not tampered with during delivery.
DMARC can be distinguished into three main areas: authentication, policy, and reporting:
Authentication - DMARC confirms validity upon receipt of an email and achieves this using a set of three criteria. In order for an incoming mail to enter the inbox, either the SPF protocol or the DKIM protocol has to pass validity. The final criteria is ‘alignment’, this is a compulsory check that must pass. Alignment ensures that the visible mail address coincides with the domain name.
Policy - DMARC policy can be configured by the company domain owner to instruct a rule set for DMARC. Without a policy in place all emails will be received into the inbox, a stricter policy rule would be quarantining the mail, this would effectively place anything that fails into the spam folder, treating the incoming mail as disreputable. The highest policy level would be to reject; if DMARC fails the incoming mail would be completely blocked from entering the mailbox.
Reporting - DMARC can be configured to compile a report of your domain and be sent to your inbox in the form of an .xml file. These reports can be sent daily or at a higher frequency if necessary. These reports can identify who is sending emails using your domain, the associated IP address, and if it passed or failed. This allows you to distinguish between legitimate and malicious senders, identify misconfigured systems, unknown senders, and spoofing attempts.
