Written by Kristy Hartman Mumma – IT/Networking Services Lead & CISO
As an IT professional, small business owner, and member of Central Maryland Chamber, and a Howard County Chamber board member, I have the good fortune of speaking (and working) with a variety of professionals with a broad range of IT and cybersecurity needs. As a result, I’m sometimes asked to participate in planned presentations, while other times I find myself with an unscheduled opportunity to share some of my insights and expertise with a group of smart, curious, and impressive individuals. This post just so happens to have been inspired by the latter!
At a recent Central Maryland Chamber Business Connections group meeting, I had the opportunity to share a bit of off-the-cuff cybersecurity knowledge. I spoke about a security protocol that I’d recently been educating our Stewart Tech IT clients about – DMARC, or Domain-based Message Authentication, Reporting, and Conformance. I wasn’t too surprised to learn that only one out of the 15 members on that call had heard of DMARC, nor that no one really understood why exactly it has become a requirement for email security.
What is DMARC and how does it work?
DMARC is a protocol that authenticates valid email senders for your domain, to increase email security and to reduce spoofing and phishing attempts. With the sharp increases in spoofing and phishing attempts, DMARC can be another tool in your cybersecurity toolkit to protect your business email and reputation. DMARC is required by all US government agencies and contractors as part of their cybersecurity defenses. It became a required policy in February 2024 when industry email titans such as Google and Yahoo! started forcing DMARC for bulk senders. DMARC is also considered part of expected best practices for the newest PCI standards.
There are three main components that DMARC utilizes as part of its security protocol:
- Verifying email senders: DMARC uses the Domain Name System (DNS), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF) protocols to verify email senders.
- Publishing policies: DMARC publishes information in DNS on how to handle emails from a domain, such as quarantining or rejecting them.
- Reporting to senders: DMARC allows receivers to report back to senders.
How to test your domain name for DMARC records.
While it’s important to note that businesses and organizations that send a lot of daily emails must be DMARC knowledgeable, all business senders and recipients should also strive for DMARC compliance to ensure that they are not missing out on valuable correspondence and getting the additional spoofing and phishing protections. Here are some quick and easy steps you can take to begin your journey to DMARC compliance.
You’ll want to start by testing your personalized domain. The easiest way to do this is to go to an industry recognized testing tool like MX Toolbox. Enter your personalized domain in the DMARC Lookup field, and hit enter.
If your results show that a DMARC record is published, you are set up for DMARC properly:
If your domain is NOT set up fully for DMARC, you may get a result like this:
If your domain is NOT set up fully for DMARC then you’ll want to reach out to your trusted IT provider to answer questions and see what steps are needed. Even though the DMARC process may seem very technical for non-IT professionals, IT providers should be able to address this fairly easily.
When to talk to your IT professional.
It’s important to have an open, respectful, and honest conversation with your IT provider whenever you have questions or concerns about how or if your security needs are being met. If you do not yet have DMARC records or aren’t quite sure where to start we suggest talking with your trusted IT advisor, website host, or email provider. They should be able to help you proceed.
While current DMARC mandates target mostly government agencies at this time, every organization and their stakeholders, clients, and contacts benefit from the standards. DMARC utilization validates senders to reduce spoofing, impersonation, and phishing on inbound emails. It also adds credibility and trust to your outbound messages, improving deliverability.
If you’re currently looking for a trusted IT partner that you can consult about DMARC and other business IT and cybersecurity needs, Stewart Technologies is here to help. Reach out to schedule an exploratory call today.