I've been giving this talk in a few circles for a year now. I'd like to share this content and art to help others build their case to implement DMARC, SPF, DKIM, BIMI. Email authentication for the win!

1. Your Customers
Need A Hero
Save them from Internet Villains
with DMARC

2. About the Speaker
• Email’s been my arch nemesis for 14 years
• Implemented DMARC for 128 domains in 7 months
• I’ve been saying, “Email is the worst thing ever”
for 10 years

3. Agenda
• Our Customers’ inboxes are under attack. They
need a hero.
• How do YOU become a DMARC hero?
• Getting your first victories.
• What will stand in your way?
• Know your weaknesses.

5. WHO WILL HELP IN OUR HOUR OF NEED?

6. What is DMARC?
No DMARC, 23
Monitor, 13
Quarantine, 1 Reject, 1
FORTUNE 500
HEALTH CARE SECTOR NOV. 2017
• Email authentication via DNS
• What can it do?
• Email blocking
• DMARC policies can stop bad emails
pretending to be from you.
• Provides insight into BEC
• You can see IPs that are trying
to send emails with your brand.
• Establishes Brand Assurance
• Your customers can be assured
that they’re safe emailing with
you.
To Start, read this:
• https://seanthegeek.net/459/
demystifying-dmarc/
Reject &
Quarantine 10.5%
None 34.9%
Invalid
DMARC 3.6%
No DMARC
51%
TECHNOLOGY INDUSTRY 2019
Source: @Valimail
Source: @AgariInc

7. But it should be.
• You gain control of your email brand.
• It’s FREE
• It’s easy to start and maintain.
• Marketing teams will see increases in delivery.
So why isn’t DMARC everywhere?
• Email is a utility.
• DMARC’s not a sexy topic.
• And it’s not the squeakiest wheel.

8. • You need a place to
receive DMARC
Reports: Then the
Telemetry comes to
you!
• Put up the _DMARC
entry in “Monitor”
mode. (p=none)
• Once you know who’s
trying to send email
as your brand, form a
plan.
• Save the metrics for
POV later!
GEAR UP

9. Where can you analyze your DMARC Reports?
FREE!
Hosted Services
• Postmark; dmarcian; DMARC
Analyzer…
DIY
• Parsedmarc by Sean Whalen
https://domainaware.github.io/
parsedmarc/
BUY A SIDEKICK!
• You can staff-augment to
quickly onboard knowledge
and assist with monitoring
post-implementation.
• Folks like Agari, dmarcian,
Valimail, and Proofpoint (to
name a few) have sidekicks
standing by!
Visit https://dmarc.org/resources/products-and-services/ for more!

10. Superhero Training Montage
Find your defensively
registered & non
sending domains and
set them to reject!
Your first victories!
Find your most
spoofed domain
and show how
the Reject
posture was
successful.
Work in the
shadows for now.

11. • No one else sends emails on your behalf?
• Only use one email hosting provider?
• Set up SPF/DKIM and monitor for a month.
• Then you’re ready to p=reject!
• You’re DONE!
You may then safely ignore the rest of this
presentation. Or read on just for fun!
You may be super close to being done!

12. Case Study: steves.nonsending.domain
Image Source: @proofpoint

13. The easy part’s over…
• Carefully review telemetry from your
sending domains.
• Enumerate your EaaS vendors – [Engage your
Third-party cyber risk Hero back at the
“Hall of Justice” if you’ve got one]
• Add their SPF & DKIM info to your DNS and
grow stronger
• Use your CNAME Kung–FU for lots of
defensively registered domains

14. Who are the villains that will stop at nothing
to destroy your initiative?
…the battle’s just begun.

15. • Multiple DNS TXT records
• More than 10 SPF Lookups
• DKIM Record typos
CONFUZOR
a.com IN TXT v=spf1 –all
a.com IN TXT v=spf1 include:spf.stuff.com ~all

16. • Tracking down
multi-national or BU EaaS
affiliations
• Tracking down Business
Cycle Specific Emails
THE SNEAK

17. • EaaS vendors who
issue SOWs or
charge extra to
support DMARC
for your domains.
NICKEL
& DIME

18. • Bad code that will cause
your DMARC evaluations
to fail.
• Usually DKIM related
• DMARC Telemetry system
Failures
SABOTAGE

19. • Bad email practices
from within.
YOUR OWN
ORGANIZATION

20. Where will DMARC not help?
• Misspelled Domains
• Compromised partner email accounts
• LISTSRV & Other assorted email hops
Know Your Weaknesses
What can help you Save the world?
• Centralize your Mail Flow
• Leverage Subdomains or…
• …Use Vanity Domains
Use your powers

21. • Take an iterative approach. Move domains to reject as
soon as you can; show the benefits when malicious use is
blocked or drops to zero for that domain.
• Headlines in the News: Tell everyone you’re protecting
your members directly, not just mitigating business risks.
• Constant Vigilance: Get DMARC into your standards,
policies, and business use cases. Get your marketing and
corp comm teams familiar with DMARC, why it’s important and
how it benefits their delivery rates.
A Hero’s Work is Never Done

22. What’s that in the sky?! A bird? A plane?
It’s BIMI!
• After you get to p=reject.
• Your logo will appear next to your
emails in your customers’ inboxes.
• In beta
• Requires rights to use a logo and
(after go-live) a cert to prove that
you own the logo.
• https://authindicators.github.io/rfc
-brand-indicators-for-message-
identification/
• Microsoft is doing their own thing:
• https://business.microsoft.com/
Image Source: Yahoo! Mail

23. Our Members deserve trustworthy
communications.
Start with the easy wins; iterate; don’t
let up.
Laughing about fictitious comic book
villains will help you have fun
implementing DMARC.

24. Be the hero!
Email me: info@steveocodez.com

25. © 2019 Stephen Mitchell and Matthew Bielewicz. Except where
otherwise noted,“Your Customers Need A Hero - Save Them From
Internet Villains With DMARC” is licensed under a Creative Commons
Attribution 4.0 International License.
http://creativecommons.org/licenses/by/4.0/