IG2 IG3

Implement DMARC

Control Group: 9. Email and Web Browser Protections

Asset Type: Network

Security Function: Protect

Description

To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Draft policy/procedure document

7

Obtain stakeholder review and approval

8

Communicate to affected personnel

9

Schedule periodic review and updates

10

Configure email authentication (SPF, DKIM, DMARC)

11

Deploy email security gateway with filtering

12

Configure attachment and URL scanning

Tool Recommendations

Microsoft Defender for Office 365 Gartner MQ Leader, Email Security 2024

Email security platform with anti-phishing, safe attachments, safe links, and automated investigation/response

Microsoft · Per-user subscription (P1/P2)

Proofpoint Email Protection Gartner MQ Leader, Email Security 2024

Advanced email security with targeted attack protection, BEC defense, impostor detection, and URL defense

Proofpoint · Per-user subscription

Mimecast Email Security Gartner MQ Leader, Email Security 2024

Cloud email security with threat protection, continuity, archiving, and security awareness training integration

Mimecast · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Business Email Compromise via Domain Spoofing

Integrity

Attackers send emails that appear to originate from the organization's domain to employees, partners, and customers, impersonating executives to authorize fraudulent wire transfers or data disclosure because no DMARC policy rejects spoofed messages.

Phishing Campaign Using Exact Domain Impersonation

Confidentiality

Threat actors craft convincing phishing emails using the organization's exact domain in the From header, bypassing user suspicion because the email appears to come from a trusted internal source, enabled by the absence of SPF/DKIM/DMARC enforcement.

Brand Reputation Damage from Spoofed Email Campaigns

Integrity

Attackers use the organization's domain to send spam or malware to external parties, damaging brand reputation and potentially causing the domain to be blocklisted by email providers because DMARC is not configured to prevent unauthorized use.

Vulnerabilities (When Safeguard Absent)

No DMARC Policy Published or Set to Monitor-Only

The organization has no DMARC DNS record, or it is set to p=none (monitor only), allowing spoofed emails using the organization's domain to be delivered to recipients without any enforcement or rejection.

Missing or Incomplete SPF and DKIM Configuration

SPF records are missing, overly permissive (using +all), or do not cover all legitimate sending sources, and DKIM signing is not configured for all outbound mail streams, undermining the foundation needed for effective DMARC enforcement.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Technical	Email security configuration (SPF, DKIM, DMARC records)	Verified quarterly
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Email Security Policy

Control 9

Web Browser Security Policy

Control 9

Related Safeguards in Control 9

9.1 Ensure Use of Only Fully Supported Browsers and Email Clients

9.2 Use DNS Filtering Services

9.3 Maintain and Enforce Network>Based URL Filters

9.4 Restrict Unnecessary or Unauthorized Browser and Email Client Extensions

9.6 Block Unnecessary File Types

9.7 Deploy and Maintain Email Server Anti>Malware Protections