Implementing DMARC with Ash from Dmarcian
Email’s Not Dead: Season 3, Episode 5
Implementing DMARC with Ash from Dmarcian
Email's Not Dead
About this episode:
If you remember in Season 2, we had our friend Ash Morin from Dmarcian on the show to talk about spoofing, phishing, and his love of DMARC. Well, now he's back to cover what it takes to implement DMARC. Learn from the best in the business on what it takes to implement DMARC into your email strategy – featuring Kate Nowrouzi, VP of Deliverability at Mailgun by Sinch.
Meet your presenters
Technical Account Manager at Mailgun by Sinch
Technical Account Manager at Mailgun by Sinch
Sr. Deployment Manager at DMARCIAN
VP of Deliverability at Mailgun by Sinch
Email’s Not Dead – S3, E5: Implementing DMARC with Ash from Dmarcian
Eric Trinidad: My name is Eric and this is Jonathan.
Jonathan Torres: Hello.
Eric Trinidad: Hello, my friend. We're here yet again to talk to you about all things email this week. DMARC – what is it? We talked a little bit about it last year. We come back again to make it a lot less scary for you. We have a couple of special guests with us today. Our own resident VP of deliverability, Kate Nowrouzi. How are you doing today, Kate?
Kate Nowrouzi: Hi. Hello. I'm doing fine. Thank you so much for having me.
Eric Trinidad: Thank you so much for joining us again. And again, our old friend from Dmarcian. Not old friend like your age, but we go way back now as someone who is now our director of deployment services at Dmarican. Hello, sir, how are you?
Ash Morin: I'm doing great. A pleasure to be here. Thank you very much for letting me come back and chat about this.
Eric Trinidad: Yeah, for sure. For sure. The pleasure is all on this side of the podcast. So as we spoke last year, we made it a little bit scary for everybody talking about phishing, how people can get taken advantage of, the loss of trust and relationships lost because of that trust. Now we want to come back and talk about what it takes to actually deploy, DMARC, make it a lot less scary. We're going to take off that mask, you know, really started doing some good things with DMARC once it's implemented. Yeah. So you work a lot with the deployment of DMARC services. You know, a lot of things that we get working on the day to day is that, you know, people are afraid to get it going because it seems like it's a daunting task or it's a lot of work. How much of that do you hear on the daily, on your end, when you speak with people about getting DMARC started?
Ash Morin: It's an incredibly common conversation. Ultimately, like anything else, whenever you have an organization that is about to make a decision to implement any new form of technology, there has to be some form of risk assessment that happens and risk when it comes to anything that touches your email flow. Well, it scares people. It's kind of funny because, for a little while, email was not really seen, at least for a time. It had this reputation of "ahh it's just email" when in the end now organizations live and well die really by being able to deliver an email stream. And because DMARC can well put a stop on being able to deliver legitimate mail from an organization unless you understand what you're doing, the risk that it poses. Absolutely. It gives a break to anybody who either decides or are told that they need it.
Jonathan Torres: Yeah, and I can definitely see things like that. I mean, from the perspective that I've seen this before. It's just that, especially when they've tried it out and they haven't got the right guidance or try to, you know, didn't understand it fully. And then it broke something even more hesitation. You know, it takes place because they see the immediate impact, right? As soon as you see that email is not flowing correctly, especially when you're an email heavy business. That's I think the biggest fear that I think people have is that it's like that happening again. So and I think that that's why it's so good to prepare and to start thinking about the things that you need to do to get things started with DMARC. Because, you know, it's one of those things where it's super beneficial and it's going to become more beneficial because there's more things coming out that are going to reflect that DMARC policy and point to that DMARC policy lookup that DMARC policy. And I think people need to start doing that and get in on the ground floor of let's start looking, let's, you know, be patient, let's do the right things. And that way we get started on the right foot whenever it does, you know, fully go into the implementation.
Ash Morin: The conversation used to be why? Why do I need DMARC? It's a lot less about that. Now it's about what do I need now to deploy do more successfully? The why is fairly understood now. Of course, there are still some gaps that we need to fill, but ultimately DMARC is the only technology that does what it does. But there's also mandates now coming down from the government itself, and that requires DMARC. There's even I.T. security insurance now that will look at effectively DMARC as a means to, well, do you have deployed? If so, then it will score better. That could even lead to lower premiums. You know, while this should not be your primary necessarily driving to deploy in DMARC, it's a carrot on the stick. So it really helps move that conversation out of the why and more about that "OK, what do we need?"
Kate Nowrouzi: and especially after during a pandemic and even now post-pandemic, although we are somehow still observing pandemic, the increasing email volume and traffic has been significant across all brands and it is not necessary if you are a financial organization or some people think, OK, maybe I just secure my transactional emails. That is not the case anymore. I believe that people have realized if there is a security breach, people lose trust in the brand altogether. So if it was marketing traffic or transaction or whatever it was they don't want that to happen. So right now, actually before the holiday mailing kicks in, if you haven't done DMARC implementation now it's the time. Don't wait until after the holiday because we are going to see record high Email transactions during the next few weeks and I highly encourage if you haven't done DMARC, do it now. If your policy is reject, that is good. If it is anything else, then reject even quarantine. Maybe you should move to enforce more restrictive policies now before the holiday mailing kicks in.
Jonathan Torres: Yeah, definitely. And I mean, we kind of want to get into a little bit of that right? Like what? What does it take to get that preparation work done? What does it take to really get to that deployment state? And I know that's one of the things in preparation for this call, we started talking to you, Ash about what that part of it specifically takes. Can you speak a little bit on that? And kind of. So everybody listening can feel a little more at ease with what would they need to do to start getting ready?
Ash Morin: Oh boy, can I? So, yeah, my role at Dmarcian started as a project manager, helping organizations to actually achieve their DMARC goal. And now we continue doing that. We are constantly evolving in helping customers find the best way for them to deploy it. And ultimately, it does require a fair bit of preparation. And what it's going to look like from one organization to another will vary a little bit, but ultimately the main beats are all the same from one organization that could be very small, with one email server and a few employees, all the way to something much more complex. But ultimately, it's really important to when deploying DMARC ultimately that you look at ensuring that you have some form of sponsorship if you wish. There's going to be various reasons why an organization will want to deploy DMARC. There's many good reasons, but who comes up with the idea of deploying DMARC, for example, if it's comes out of maybe cybersecurity and then they have to sell "hey we need this" occasionally it may be coming down from leadership and not necessarily from an I.T. leadership, but from other areas of the business where they see that their marketing streams are impacted. So where this is born out of will vary. But ultimately there should be a buy-in from leadership from the organizations, primarily because you want this to be understood and promoted across as wide of a spectrum in an organization leadership so that you don't necessarily encounter bottlenecks because there may be areas of the business that won't understand why you're doing that and why it's beneficial. And then after that, it really falls more down on the project team within the organization to be prepared as to what you need to do as far as the specific tasks in there. There's many, but before you need, before you can make any sort of decisions, you need data and that's where DMARC is great. You need to know which domains you're deploying DMARC on. And there's really only one answer. There should be all of them. There should not just be one shouldn't be two. The way email works, everybody can spoof whatever domain you have, even those that are defensively registered, even though so are type of squatting or even those that you used to use and you don't want to use or not use for email, it's not because you don't use them for email that a spammer or spoof or a bad actor won't use it. That's what's very interesting in the case of DMARC in How email works is if you have a domain that just through its name is very representative of your brand is recognizable, it represents your identity as a company. Spoofers are going to want it. So all domains look at them, registered them, catalog them, deploy DMARC policy of p=none, gather data for about six weeks and then turn the light on. See what and who sends mail on behalf of your domain. Are the abuse? Are they not? And then comes the fun part and is going to be more of the implementation. But as far as preparing, make sure you've got your domain in one place. Make sure they're all reporting. Make sure you have enough data. You won't be able to make any decision without having that data. The first place you start.
Eric Trinidad: Have you had it where, you know, people have already started this process and then come to you? Or is it best to come to someone with your expertise first before going along this path?
Ash Morin: That's an excellent question. Uh, personally, I think we have the expertise we can help expedite, of course, our company's journey to getting to people's reject. But it's also very important that an organization or especially individuals responsible for this do not defer entirely the responsibility of that knowledge of deploying DMARC entirely on a third party. I want to be helpful Dmarcian wants to be helpful, of course, but ultimately they need to be able to make decisions on their own, too. And this is where Dmarican really focuses on our methods of helping customers as we educate. We have, of course, a helpful toolset, especially reading XML reports. You know you don't want to read ten thousand lines on a single XML report where you can even be getting 10000 reports, potentially daily. Right? You don't want to do that. So yeah, I have something that helps you paint a good picture and turn effectively XML reporting into something that's for human reading. But we also want to educate organizations so that they are ready and if they need to, if they need to make decisions on their own without necessarily the help of an individual like myself, then at least they have to tooling to have the data, they have to know how to be able to make those decisions. So my point is start, try to start a journey by yourself. Don't make any necessary decisions that are drastic, like going, OK, I'm going to deploy more p=rejects and see what happens, you know, Ash told me, learn, learn, learn by doing. No, no, no, no. You know, read first and then deploy p=none. Try to educate and understand the technology that makes up DMARC, at least a part that matters. And then once you get a bottleneck and you really can't see a path forward, seek expert advice. There's certainly no problem with that, and there's plenty of good advice out there. We've been doing this for years and years, pretty much since the inception of DMARC. So we're in a good place to help. So there's no problem with that.
Eric Trinidad: Yeah. During this preparation process, does it like how what is your kind of like time span? If everybody has their ducks in a row, they have their XML spreadsheets, they're able to read everything. Everything's good to go today. Is it usually like a fairly quick process or could it last for months, just depending on their preparedness?
Ash Morin: Understanding how long is going to take is really through that implementation of that preparation phase. We call it the assess phase. We have a model called the AIM model. You can always read more on that on our deployment services, a link on our website Dmarcian.com on the solutions. But specifically, it's called scoping. You scope out the complexity of an organization's mail infrastructure so that they understand how much do you already recognize versus what they don't? And that's where the bottlenecks are. That's really talking about the implementation piece scoping out. Being able to scope out how long the project's going to take will vary on many different factors. So unless you have the experience, that's going to be difficult for an organization to be able to go to leadership and say, I'm going to be done in four weeks realistically, and I'm going to even candidly say anybody who says different, I would be hard pressed to believe them. It's going to be several months is going to take several months even for small organizations. And there's there's many factors that comes into that. We can definitely talk and touch a little bit on that when we talk about the implementation of DMARC. But scoping out, yeah, it's going to be very difficult to do specifically. A very quick example if you are, let's say, a retail company versus higher education. Very different organization. Yeah. Higher ED will typically have a lot of very independent departments, let's say, especially if it's a big college, big university. They have a fairly popular varsity team, so the athletics department will maybe tend to feel like they have a bit more autonomy than other departments within the organization. That autonomy also will generally mean those the department will make decision unilateral decisions on systems that are going to be used to manage the athletics department that may send mail. If that spoofs your domain, then we need to bring this into compliance. So now we're talking more about the implementation, but that's a very unique case to higher ED versus something that would be very different from a retail based company or even a government agency or, you know, et cetera, et cetera, et cetera. So unless you have that perspective, it's very hard for an organization to be able to scope out how long a project is going to be and be able to provide a very specific timeline to our organization or their leadership. This is where also Dmarcian can come and help. Because they need to provide a bit of a timeline. They need to show how long is this going to take? You know, we have other stuff to do. DMARC is not the only thing to do. Right. So with our experience, we can help them plan out what to what, what a project would be would look like.
Jonathan Torres: Yeah. And kind of like circling back a little bit. And we've already talked about a lot of the different topics. And, you know, we're kind of getting into this implementation piece, and I just kind of want to just highlight on a point because I think it's just important to kind of sit on this for just a minute. And that is one the p equals none. But the fact that you can start getting in reporting and start getting in good information way before because I mean, I've been in support for quite a while and it's just amazing to me how many times there is such a lack of communication between companies. I mean, that's even our own. I'm not going to pretend that we don't have that same problem sometimes. But there's just a lack of coordination times. I've got to call it out, right?
Eric Trinidad: Yeah.
Jonathan Torres: But I mean, and I think that's a lot of times where people have run into problems before. So, you know, you have to have that coordination piece and having something, at least to say, OK, here's where my problem areas are because somebody is not falling in line. Maybe there's something out there that we did not know about that was doing email that this is now going to impact and that information is so, so beneficial. And I know sometimes there's a lot of hasn't hesitancy to do not do anything within DMARC because they're not sure what it's going to do. But that P equals none is there for a reason, and that's there to report and to kind of get the ball rolling. And you know, without that, you're not going to get any info would also need that info because there's always that rogue, that rogue person out there doing something kind of crazy with stuff and not realizing that they need to be informed and to kind of fall in line and make sure that things are shored up on their end as well.
Ash Morin: Absolutely. You put your finger on a pulse there on an incredibly very important topic because without, well, you know, without knowing anything, without having the lights on, you're not going to walk through a, you know, a dark hallway with a bunch of holes in the floor, you know, you need to. But ultimately, what you're also talking about is the fact that DMARC has more than just tech. It's also a process. It's a business decision, and you need to make it potentially change business related processes surrounding DMARC to be able to monitor them because it's important it really introduces a one. Yeah, it turns the lights on. Oh, OK. Or the HR Department Switches payment processor to payment processors. The main function is not to send mail, but incidentally, with the function that it provides, it sends Notifications. It just happens that H.R. Department set a sending address that is at my domain that now is part of the scope of the DMARC project because they're spoofing our domain. You might not think or you might think, well, that's an internal email. Well, let's say your payment processor completely randomly. Hypothetically, let's say that it's ADP. Some of you probably heard of it being a fairly big player in the space. And, well, those notifications are going to be coming from an ADP server coming into an organization's domain. So that's going to be hitting a domain SIMEX. That means that authentication checks will happen. So DMARC matters. The only way around that would be to whitelist the sender. Not something, well, security perspective. Not a good idea. You don't want to white list all of your senders. You can't do that even if it's IP white list based, because some might be public pools. For example, you have somebody who sent you an email from, let's say, an eMarketer platform. They don't have a dedicated IP, you don't want to white list those IPs. Otherwise anybody who uses that platform would be able to send you an email. And if you don't want them now, you're telling the world, No. Come on in. Yeah. Another big conversation. But ultimately, you know, you want to ensure that you understand the flow of those emails because DMARC will apply more often than you think.
Kate Nowrouzi: Something I wanted to touch on that JT mentioned about the P equals none, which is this is a great idea. Everybody should have started from p=none. But one of the problems that I'm seeing with some of the brands is they forget to go back and change that p equals none to reject or quarantine. So when you are starting with DMARC, have timelines just on set events and in future you need to come back. If it is one week, two weeks, 30 days, you need to have a timeline of when you are going to get to p=reject. So this is something that I wanted to mention that we do see that in the field. A lot of people say, Oh yeah, we have DMARC and only go in and it's not.
Ash Morin: And this is why exist. Ultimately, it's because and this is why our approach at Dmarcian when you deploy DMARC, it's not a forever project. DMARC itself is not a project it's deploying DMARC that is. You need structure. Otherwise, exactly to your point, Kate, the time and time again, our organization, oh, apparently we need this, you know, to get at least a record in place, getting that one record in place on one, I mean, at the very least, the easiest thing to do. But yeah, they forget. They look at it for a while, then they go back to the fires they have to put out and then DMARC becomes a back burner. So when they ask for help, then this is why we tell them we're going to be doing this project based approach. We're going to have milestones. We're going to have dates. We're going to set ourselves goals. We will want to hit those goals because, yeah, absolutely. You don't. You'll never get it done.
Jonathan Torres: When it comes to getting that part of it down, we're advancing the conversation a little bit here, and we want to start talking about, you know, a few of the things that we know that DMARC is now like the basis for some of these authentication pieces. And I know Kate you had a few of them that you wanted to throw out there. So yeah, I want to give you the floor so we can talk about some of those things.
Kate Nowrouzi: Right? Two of the standards that we are promoting for brands is one of them is BIMI. So BIMI is really one of the good reasons we came up with. We encourage marketers to actually implement DMARC because without having a DMARC policy, you can not implement BIMI. So BIMI gives the end user some sort of comfort that the email, for example, from Bank of America, is indeed coming from Bank of America by displaying the logo in their inbox and displaying the logo has its own process. It's not that any person can go and published a logo of Bank of America or Costco or their brands in the inbox. So in order to encourage marketers and consumers with implementing BIMI and making the ecosystem safer, the first step is to make sure you have DMARC. And if you don't have DMARC in place with the right policies, you won't be able to establish if you don't establish BIMI, eventually more and more brands are going to go and display their logos in the inbox. Then there won't be any logo and the consumer are not going to trust your brand. The other tech that we are working on is interactive emails or AMP emails. It is not requiring DMARC now, but we are pushing or we are moving towards that direction that in order to have an interactive email and amp email, you need to pass, you need to authenticate your mail and you need to have a DMARC policy in place. So if you are, if you are using email for your brand, if email is bringing revenue to your organization, there are future implementations of emails. There are enhancements and new technology coming to email. One of them is interactive email. You better start sooner than later.
Eric Trinidad: Yeah, it's going to take a while to get everything going.
Jonathan Torres: So when we look at some of those things and I think a lot of times we think of this as just protection for us and this is going to benefit us as a company to implement DMARC. And that is definitely part of the thing. And I don't think people realize how much it's being tracked out there also by the recipient side of things. Because even if you, you know, sign up for Google Postmaster tools and you look at what they're tracking for authentication, DMARC is already a point they're tracking and they're keeping track of that over time to see how much of the traffic is actually doing that authentication piece, whether it's not authenticating correctly. And then, you know, eventually things of that nature are going to start influencing a lot more of the reputation for companies that are sending because it's just one of the things that are out there already. And I think we tend to think of it as new technology and something that new is coming along. But I think it's just because it's the adoption rate is finally starting to take track and there's more tools like BIMI and AMP that are going to start utilizing it. So it's going to be a lot more visible to people.
Ash Morin: It's really two things I think one is you alluded to it effectively is there are some incentives now for organizations to actually deploy DMARC, be it something like BIMI and BIMI, of course, is very attractive for organizations. There's power in symbols, and a company's logo is a symbol, especially when it's recognized. So you want to be able to showcase that symbol in a way that's trusted on the part of the receiver. But the other part now is that there's a lot more education when it comes to DMARC that has been put in and that education is finally more than just about the basics. If you look at most guys for DMARC, it kind of starts and ends when you published the record. This is what p=none versus p=reject means, but you talk very little about the implementation piece of it. Meaning how do you manage your vendors? Because in IT especially an IT group, generally their view of what they maintain starts and ends with what they have access to. So let's say if you are a Google Workspace shop, then that's generally going to be Google Workspace corporate mail platform users. Make sure they can send and receive mail. But what about e-marketing they just sign up for an e-marketing platform? What about the operations group, who now has a third party application that's hosted on, I don't know, AWS that uses a Siesta sent mail? IT might not have access to these things. They won't be able to make a change to this thing. Now, a majority of third party vendors will not send mail in a way that's DMARC compliant, meaning aligned. So there's no amount of DNS changes they can make to suddenly make that compliant. There's a change, a configuration change that needs to occur in a lot of these third party services and platforms, sometimes done by an administrator that's an employee of the company. But sometimes they're going to be managed services. They're gonna have to actually reach out to a third party and ask them, "Hey, we need you to send mail in a way that's DMARC compliant." And very often the IT team will not even be able to reach out to those third parties because of security reasons. The third party will only have an authorized list of contacts within their company, and it will only speak to those individuals. So that falls into really understanding how. How do I manage all this? How do I find? We call that source discovery here at Dmartian is how do I find the stakeholders of these systems? And then once I do, what do I do with that? And so now finally, there's more and more organizations such as Dmarcian that provides that help, that provides that guidance. There's more than just, you know, how to publish a record in DNS. Now you need to understand, how am I managing my vendors? And honestly, when it comes to deploying DMARC, that's usually where I.T. or the team responsible for deploying DMARC is confused. OK? I've got the data. What do I do with it now? You know, just tells me Amazon is being used. How do I find out who uses it? How do I configure it to be DMARC compliant? Do you need help there too? Either in the form of professional services like what I do or at the very least, much more comprehensive guides that really gives a better idea. Hey DMARC is more than a text record.
Eric Trinidad: I think we see that too right Johnathon? Like when we're talking with companies and they're trying to set up a domain and they're like, Well, I think the marketing team uses that or, you know, somebody was testing out something before we came on, and I'm not too sure I think somebody else is using it. So yeah, it definitely. It's a lot of stories finding out where everybody is using their thing.
Jonathan Torres: There's a lot of good information out there. And you know, quite honestly, I know for myself, I go to the Dmarcian site all the time. I send customers there all the time because it's like a lot of good information and you can really do a lot to educate yourself. And there's a lot of times where that's not enough. And I know that's exactly why I love having people out there that we can rely on. Like, Ash that there's going to know exactly what to do with it, even when I don't know. But I do love that there's such a good amount of information because there are so many little nuances that come into play too. I know when I talk to my customers, one of the biggest misconceptions is DMARC alignment and not getting alignment between the domains. And it's just one of those things and it's out there. And you know, we're not we don't have enough time on the podcast, I think, to touch every single one of those things that that would come into play. But that's, I think, what people just need to be aware of that there's there's tools and there's a lot of help out there to do something like this. So so we want to make sure that people are just not afraid, like don't be afraid to do it because like fear is going to, you know, fear can be a downfall and we don't want that to happen. You know, just educate yourself. Seek out answers and know that there's people out there that can help in those situations.
Kate Nowrouzi: I can't agree more with what Johnathon just mentioned. There are vendors out there that can help you with their journey. I would not recommend to any organization to start doing this in-house because of all of the challenges that they may come across, and then they will be discouraging moving forward. And with all of the vendors that, at least my enterprise customers support Dmarcian is one of the ones that it is super easy to work with. The customer support is fantastic. They get answers if there is not something on the roadmap. I have seen Dmarcians implement and reply to the requests of their customers super quickly. So I highly encourage if you use a vendor who has seen all different negatives or challenges before the deployment and they can educate you and different organizations within your team.
Ash Morin: Absolutely. If I were to add a little thing to that is there's a lot of tools out there, you know, actual tools, you know, to look up a record to obtain specific data, to process certain things. But sometimes you need to speak to somebody who has experience who has perspective. Those tools will not give you that. They just won't. So whatever you do, find a service such as Dmarcian, where you have people who are responsive, where you're able to actually talk to a human being who has experience, you can have a conversation back and forth that can be worth its weight in gold.
Kate Nowrouzi: Absolutely.
Eric Trinidad: Absolutely. Absolutely. Well said. Well, I think that's going to wrap this up for today. Ash, thank you so much for joining us. Thank you. If you have any questions or concerns to all those listening out there, please check out Dmarcian.com for all that information. Kate, thank you again for joining us as well. Check out her blog post and all the things through Pathwire and Mailgun at Mailgun.com and Pathwire.com.
Jonathan Torres: Kate also has a really good Twitter, I'm just going to throw that out there, so.
Kate Nowrouzi: Oh thank you.
Eric Trinidad: Right on, right on. I'm definitely going to start following. So everybody again, thank you again for hanging out with us. Enjoy yourselves and have a great rest of your day.