YOU THINK DMARC IS EASY? THINK AGAIN!

Martijn Groeneweg and Nick Hristov of dmarcian, Inc. presented the lessons they learned from introducing DMARC at PostNL; something that was not as easy as many think. In recent years, the Dutch postal service, PostNL made it into the TV news because of large numbers of spam and phishing mails sent in their name. dmarcian were hired to help the company implement DMARC to prevent this from happening. While this is a technical task, it was by no means just a technical project. The technical aspects of implementing DMARC were just 30% of the project; 70% is process. 

Groeneweg and Hristov distinguished between three project phases; Assessment, Implementation, and Management. In the Assessment phase, they did a SWOT analysis (e.g. S: Free open standard, W: Not enforceable, O: Ecosystem of large companies, T: Bad DNS management). 

In the Implementation phase, they had to distinguish between active (50) versus a whopping number of inactive (2846) domains. PostNL had to be convinced that the parked/inactive domains also had to be made DMARC-capable in order to avoid abuse by third parties. There had been massive abuse, for example, on the domain post.nl, which belonged to PostNL, but was not actively used by them. PostNL had around 30 suppliers that were sending email on their behalf (e.g. Salesforce, Microsoft Office, SAP). Not only were not all of these DMARC compliant, but PostNL wasn’t aware that some of the suppliers could send emails on their behalf. 

Once DMARC was successfully activated, 99.8% of threats/unknown emails sent through PostNL domains were blocked.

Groeneweg and Hristov recommend explaining the importance of DMARC to brands. Many stakeholders, especially in big companies, have to be convinced to implement DMARC. Those helping them should also not underestimate what is involved. While the actual realization is not so difficult, so “only” changing lots of DNS entries, it is easy to misjudge how complex the underlying email ecosystem can be. The impact of getting something can be huge, as legitimate email could also be blocked.  

A lot of cooperation between ISPs, ESPs, applications, brands, and government is required to implement DMARC across the board. PostNL is now trying to push DMARC and actively advocate it, also on an organizational level. There is a Coalition Safe Email in the Netherlands, with a focus on DMARC, which PostNL is part of. The Dutch government has now made it mandatory for any email application they buy to be DMARC-capable.  A key take-away for dmarcian from the PostNL project was how strong an advocate for DMARC a happy customer can be.