All Collections
Learn about DMARC
Is DMARC a valid vulnerability for responsible disclosure?
Is DMARC a valid vulnerability for responsible disclosure?
Francesca Runger-Field avatar
Written by Francesca Runger-Field
Updated over a week ago

What is DMARC?

DMARC is an outbound email security protocol that protects domains against exact impersonation (or email spoofing). This is when fraudsters pretend to be you to send phishing emails to your employees, customers, and supply chain in an effort to get their hands on private data, and money.

What is a responsible disclosure (or bug bounty) program?

Responsible disclosure programs (also known as bug bounty programs) are structured frameworks organizations have in place for security researchers (or bug bounty hunters), to find vulnerabilities within their websites, systems, platforms, or wider attack surface. If the bug bounty hunter is successful, the organization compensates them for their findings.

Ok, so what’s a beg bounty program?

A beg bounty is a term used to describe the surfacing of an easily discoverable issue by a ‘bounty beggar’. These issues aren’t deemed payment-worthy either because they’re not a legitimate vulnerability or are considered an issue that could have been easily spotted by the organization itself.

Is DMARC a beg bounty?

Missing DMARC records are considered beg bounties. Why? Because DMARC is considered easily discoverable, too complex to implement, and some incorrectly believe it’s unimportant. Some even wrongly believe that DMARC is synonymous with SPF and DKIM.

Why SPF and DKIM aren’t enough

While SPF and DKIM records are key email security protocols and fundamental to successful DMARC implementation, having them set up isn’t enough to fix your DMARC vulnerability and stop domain spoofing.

Your DMARC record combines the signals from SPF and DKIM records and gives instructions to receiving servers, telling them what to do with emails from your domain that don’t pass authentication. This can only happen when DMARC is in p=reject. SPF and DKIM implemented alone cannot do this.

How do SPF, DKIM and DMARC work together?

  • SPF verifies whether an email was sent from an authorized IP address.

  • DKIM verifies that the email has not been modified by creating a digital signature.

They both produce what is known as authentication identifiers that DMARC uses to authenticate emails and set rules about how receiving servers should treat emails that fail authentication checks.

See the steps below to learn how SPF and DKIM produce authentication identifiers that DMARC uses to authenticate email:

  1. A message is sent to the receiver’s email server.

  2. The receiver’s server checks the sender’s DNS for DMARC, SPF and DKIM records.

  3. The receiving server verifies the incoming message against SPF and DKIM and if either validation passes it sends the message to the recipient.

  4. If validation fails, the message will be sent to a spam folder or completely rejected, depending on how DMARC is configured – the end user will never see the failed message.

So, SPF and DKIM are vital components of the DMARC verification process because they provide the signals for DMARC to confirm whether an email is from an authorized – or fraudulent – source.

Why DMARC should be implemented by organizations by default

Although we feel organizations shouldn’t be paying out for DMARC beg bounties, businesses must not strike DMARC off as ‘unimportant’. While DMARC isn’t a website vulnerability or ‘bug’, having no DMARC record (or a record at none/quarantine) means you’re extremely vulnerable to impersonation and phishing attacks, such as BEC.

To secure your business email, it is critical for SPF, DKIM and DMARC to be configured correctly. When all three protocols have been implemented successfully and a DMARC policy of p=reject is achieved. businesses can be safe in the knowledge that their domain(s) are secured against impersonation attacks.

Did this answer your question?