10 enterprise challenges of DMARC
Posted: Tue Apr 22, 2025 6:51 am
If DMARC is so important to email security, why doesn't everyone deploy it? While email authentication helps improve email deliverability and prevent phishing attacks, its implementation is complex, which compounds the problem. Enabling DMARC in mid-sized and large enterprises presents additional challenges due to the involvement of more people and multiple domains.
Challenges Enterprises Face When Adopting DMARC
1. Accidental disconnection of critical services
Companies often lack confidence and are unaware of all the legitimate services that use their domains to send emails. Their concerns are genuine, as the consequences of such mistakes can harm a company's growth, marketing efforts, and communications with clients, prospects, the media, and more.
Therefore, we recommend using a DMARC policy incrementally starting albania phone number data with a "None" policy, monitoring activity on your email sending domains, and then switching to a "Quarantine" policy until you are sure you are ready to move to a Reject policy. However, the hard truth is that a state of complete confidence may never come! Although business continuity plans can also provide a roadmap for handling service failures, there are a few things to consider:
2. Comply with government orders
Countries such as the United States, the United Kingdom, and Japan emphasize DMARC settings and even make them a basic requirement for doing business, mainly associated with government agencies. The United States Department of Homeland Security (DHS) 18-01 Binding Operating Directive issued an order requiring all federal agencies to set DMARC policies to deny by October 16, 2018. The United Kingdom has similar standards.
The challenge now is that not all companies have the confidence to move to a do-not-call policy because some of their legitimate emails are bounced. However, they are not aware that they can opt out of compliance by providing a written explanation to justify their reasons.
3. Marketing teams resist DMARC
Marketing teams are reluctant to do email verification because if you send emails in bulk, many of them may not be delivered to the recipient's mailbox at all. In addition, if you use @yahoo.com, @aol.com, or @gmail.com for email marketing, the emails will not pass the DMARC verification check and the delivery rate of your domain name will be affected.
The solution is to use your own domain to send marketing emails. This way, DMARC will work at its best. In addition, a fully deployed DMARC allows you to set up Brand Indicators for Message Identification, or BIMI, so that your brand logo appears next to the email in your customer’s inbox. This will increase open and click rates.
4. Employees using shadow IT don’t recognize DMARC
In mid-sized and large enterprises, employees often indulge in shadow IT, which is the use of devices, tools, and services that are not officially approved by the company. They use these devices, tools, and services to increase productivity and drive innovation. By using shadow IT, employees unwittingly provide hackers with opportunities to exploit security vulnerabilities.
By inserting DMARC, you can know that these tools exist and even know the employees who use them. This is why employees who use shadow IT are reluctant to comply with DMARC.
More information DMARC and Shadow IT
5. Overcoming the 10 SPF query limit
Every time a DNS query is made, it adds to the 10 SPF DNS query limit, which can be reached quickly. Exceeding the query limit results in SPF errors, which DMARC sees as a "failure." This is when you need to fix your SPF record.
6. Invalid SPF Record
Businesses often outsource responsibilities like marketing and PR to agencies and add their domains to the SPF record using the include tag. Everything works fine until the third-party sender (agency) changes their domain without informing you. This will invalidate your SPF record and affect the DMARC verification process.
Long-term, diligent monitoring of changes in your SPF records will prevent you from getting caught up in actions you can't control. It's also recommended to launch and use a CRM tool on your own domains.
7. Global compliance challenges
Large businesses also face cross-border challenges. If you work from an office in Europe, you must comply with GDPR, the world's strictest privacy and security law. In addition, some EU private and public organizations are reluctant to conduct overseas data transfers. Under GDPR's privacy regulations, even IP addresses are considered PII.
For companies concerned about this, we send DMARC reports for domains and subdomains that are limited to sending email to specific regions.
8. DMARC Management
Another challenge for enterprises is who will manage the DMARC program and provide a point of contact for those responsible for different services. Contact us to adopt DMARC long-term to combat phishing attacks and improve email deliverability.
Challenges Enterprises Face When Adopting DMARC
1. Accidental disconnection of critical services
Companies often lack confidence and are unaware of all the legitimate services that use their domains to send emails. Their concerns are genuine, as the consequences of such mistakes can harm a company's growth, marketing efforts, and communications with clients, prospects, the media, and more.
Therefore, we recommend using a DMARC policy incrementally starting albania phone number data with a "None" policy, monitoring activity on your email sending domains, and then switching to a "Quarantine" policy until you are sure you are ready to move to a Reject policy. However, the hard truth is that a state of complete confidence may never come! Although business continuity plans can also provide a roadmap for handling service failures, there are a few things to consider:
2. Comply with government orders
Countries such as the United States, the United Kingdom, and Japan emphasize DMARC settings and even make them a basic requirement for doing business, mainly associated with government agencies. The United States Department of Homeland Security (DHS) 18-01 Binding Operating Directive issued an order requiring all federal agencies to set DMARC policies to deny by October 16, 2018. The United Kingdom has similar standards.
The challenge now is that not all companies have the confidence to move to a do-not-call policy because some of their legitimate emails are bounced. However, they are not aware that they can opt out of compliance by providing a written explanation to justify their reasons.
3. Marketing teams resist DMARC
Marketing teams are reluctant to do email verification because if you send emails in bulk, many of them may not be delivered to the recipient's mailbox at all. In addition, if you use @yahoo.com, @aol.com, or @gmail.com for email marketing, the emails will not pass the DMARC verification check and the delivery rate of your domain name will be affected.
The solution is to use your own domain to send marketing emails. This way, DMARC will work at its best. In addition, a fully deployed DMARC allows you to set up Brand Indicators for Message Identification, or BIMI, so that your brand logo appears next to the email in your customer’s inbox. This will increase open and click rates.
4. Employees using shadow IT don’t recognize DMARC
In mid-sized and large enterprises, employees often indulge in shadow IT, which is the use of devices, tools, and services that are not officially approved by the company. They use these devices, tools, and services to increase productivity and drive innovation. By using shadow IT, employees unwittingly provide hackers with opportunities to exploit security vulnerabilities.
By inserting DMARC, you can know that these tools exist and even know the employees who use them. This is why employees who use shadow IT are reluctant to comply with DMARC.
More information DMARC and Shadow IT
5. Overcoming the 10 SPF query limit
Every time a DNS query is made, it adds to the 10 SPF DNS query limit, which can be reached quickly. Exceeding the query limit results in SPF errors, which DMARC sees as a "failure." This is when you need to fix your SPF record.
6. Invalid SPF Record
Businesses often outsource responsibilities like marketing and PR to agencies and add their domains to the SPF record using the include tag. Everything works fine until the third-party sender (agency) changes their domain without informing you. This will invalidate your SPF record and affect the DMARC verification process.
Long-term, diligent monitoring of changes in your SPF records will prevent you from getting caught up in actions you can't control. It's also recommended to launch and use a CRM tool on your own domains.
7. Global compliance challenges
Large businesses also face cross-border challenges. If you work from an office in Europe, you must comply with GDPR, the world's strictest privacy and security law. In addition, some EU private and public organizations are reluctant to conduct overseas data transfers. Under GDPR's privacy regulations, even IP addresses are considered PII.
For companies concerned about this, we send DMARC reports for domains and subdomains that are limited to sending email to specific regions.
8. DMARC Management
Another challenge for enterprises is who will manage the DMARC program and provide a point of contact for those responsible for different services. Contact us to adopt DMARC long-term to combat phishing attacks and improve email deliverability.