top of page
  • OpaCyber

Why your outbound email security sucks and what you can do about it - part 4

It’s here! Part 4 of our scintillating series on email security - Dmarc! 🤦‍♂️

We hear your squeals of joy as if the final episode of a Netflix series has dropped 🤣

We like to think of Dmarc as Robocop, but with less violence 🤭

So you’ve sorted out your SPF and Dkim which tell the recipient system who/what is allowed to send email on your behalf BUT what if someone/something you haven’t approved is sending?

This is where Dmarc comes in. Dmarc is one DNS record with three policy options that tell the recipient system what to do if an email is not in compliance with your settings. The three policies are

  • None

  • Quarantine

  • Reject

  • None is obviously fairly useless as it is essentially the same as not having a record at all, but it is often used (and we use it) when first created while in Discovery Mode (capturing all the legitimate senders of your email). The major problem with this option is FAR TOO MANY organisations leave it as None forever. So, fairly useless then

  • Quarantine should be set once there is confidence that “most” legitimate senders have been identified. This tells the recipient system that in the event of non-compliance, send the email to Quarantine in the recipient’s mailbox. The risk here is Fomo. Even if the email is in Quarantine, “some people” just won’t be able to resist opening/clicking with the resultant security problems

  • Reject is the ultimate goal. Non-compliant emails will be rejected and never reach an inbox. Robocop is victorious. Huzzah!

In order to set up SPF, Dkim & Dmarc it involves:

  • Discovery

  • Remediation

  • Monitoring

  • Rinse & Repeat until Dmarc = Reject is achieved

The one item above that is often, unfortunately, overlooked is Monitoring. If no-one is monitoring how your emails are being received and what, if any, new senders are being detected you are flying blind. Try to avoid the mountain just ahead of you

Or, there are organisations that will correctly set up all of the above for you including the monitoring. We wonder if you know one? 🤣

There’s one final part to this series (Yay! We hear you say 🤦‍♂️)

Coming soon, like a bonus behind-the-scenes episode on AppleTV+ (other streaming services are available), we look at some examples of what it looks like when THINGS GO WRONG 😱

Previous post, Dkim

Next post, when things go wrong:


bottom of page