DMARC: How — and why — schools should get it right

Domain fraud is a serious threat, but the set of technology protocols needed to combat it effectively — DMARC — is pretty complex to configure properly. Just spelling out what the acronym stands for is a complex mouthful: domain-based message authentication, reporting, and conformance. No admin reads that and thinks “Great, I can’t wait to dive into it!”

In fact, a 2019 report on global adoption found that 80% of organizations did not have DMARC policies set up. This leaves them exposed to an array of reputational and other risks that can have profound negative effects.

K-12 institutions are no exception to the need for robust DMARC implementations, and they have unique needs and exposures. Fortunately, with the right solution, it’s possible to automate and dramatically simplify the process of establishing, monitoring, and managing DMARC. This means that even organizations with limited IT staff and resources can easily meet new DMARC requirements.

Evolving requirements

Google and Yahoo are updating policies to include a mandate for email users to implement DMARC on their email domains. 

To understand why, we have to look at the history of cyberthreats. For a long time, hackers and criminals of all types have employed domain spoofing and impersonation to launch multiple phases of their attacks. Sending a malicious email that looks like it comes from a trusted sender is a proven, effective way to initiate a vast array of attack types.

In response, security technology has steadily improved its ability to detect and block such attacks. And it’s very common and simple now to automatically block email from, and share information about, domains that are determined as the source of those attacks. 

So, for instance, if a sophisticated attacker — or even a student with cyber skills and a penchant for mischief — is able to use your domain to send phishing or other malicious emails, you’ll soon find a growing number of your legitimate outgoing email being rejected by recipients’ email security. 

That’s why DMARC was established. It provides robust email authentication and domain protection by expanding on the widely deployed SPF (sender policy framework) and DKIM (domain keys identified message) protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders.   

Traditionally, proper configuration of SPF and DKIM has been complex and difficult, which explains why few organizations implemented it. But modern solutions make it simple to automatically configure these protocols. The emergence of these solutions may be part of the reason that major ISPs like Google and Yahoo are establishing DMARC mandates.

Risks and benefits for K-12

Schools have an unusual user base. Students in particular run the gamut: From unsophisticated users who are especially vulnerable to phishing and other email attacks, to skilled digital natives who may be more prone than adults to engage in illicit online behavior. This means that when it comes to domain fraud and impersonation, schools are at high risk.

A strong modern DMARC solution like Barracuda Domain Fraud Protection provides many benefits to K-12 organizations:

• Email authentication to prevent unauthorized users — both internal and external — from sending emails from your domain
• Third-party sender verification that extends domain protection to cover third-party learning providers that may be authorized to send emails on your behalf
• Reputational protection that enhances deliverability of your emails by preventing outgoing emails being flagged or blocked as spam
• Real-time reporting and visibility that delivers insights into your entire email traffic landscape, letting you spot and respond to potential threats promptly
• Compliance with email-provider mandates for DMARC implementation