As cybercriminals grow more sophisticated with AI and social engineering, email remains a critical vulnerability for organizations worldwide. Today, we’re joined by Dominic Jainy, an IT professional with deep expertise in cutting-edge technologies like artificial intelligence, machine learning, and blockchain. Dominic brings a unique perspective to the world of cybersecurity, particularly in understanding how protocols like DMARC can safeguard businesses from phishing and impersonation attacks. In this conversation, we dive into the mechanics of DMARC, the alarming gaps in its adoption, the evolving threat landscape, and actionable steps for organizations to bolster their email security.
Can you explain in simple terms what DMARC is and how it helps protect organizations from cyber threats?
Absolutely. DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It’s essentially a security protocol that helps prevent attackers from sending fraudulent emails that appear to come from your domain. Think of it as a gatekeeper for your email system—it verifies if the sender is legitimate and decides what to do with emails that don’t pass the check. By using DMARC, organizations can stop phishing emails from reaching their employees or customers, protecting both their reputation and sensitive data.
How does DMARC interact with other email security protocols like SPF and DKIM to create a stronger defense?
DMARC doesn’t work alone; it builds on two foundational protocols: SPF, which stands for Sender Policy Framework, and DKIM, or DomainKeys Identified Mail. SPF checks if the sending server is authorized to send emails on behalf of a domain, while DKIM uses cryptographic signatures to verify that the email content hasn’t been tampered with. DMARC takes these checks a step further by setting a policy on what should happen if an email fails SPF or DKIM—whether to let it through, quarantine it, or block it entirely. Together, they create a layered defense that’s much harder for attackers to bypass.
Why do you believe email continues to be such a vulnerable point for many organizations despite advancements in cybersecurity?
Email’s biggest strength is also its weakness—it’s universal and deeply trusted. Almost every business relies on email for communication, approvals, and sharing sensitive information. But it was never designed with robust identity verification in mind. Even with training, people can be tricked by well-crafted phishing emails, especially now with AI making them nearly indistinguishable from legitimate messages. Plus, many organizations haven’t prioritized technical safeguards like DMARC, leaving their domains open to spoofing and impersonation attacks.
Research shows only a small percentage of top domains have the strongest DMARC policy in place. What do you think is holding organizations back from full enforcement?
There are a few key barriers. First, there’s a lack of awareness—many organizations don’t fully understand DMARC or its importance. Second, setting up and maintaining DMARC can seem complex, especially for businesses with limited IT resources. Finally, some companies worry about disrupting legitimate email traffic if they enforce strict policies too quickly. They often start with a weaker setting and never progress to full enforcement, which means they’re not actually stopping phishing attacks—just monitoring them.
Could you walk us through the different DMARC policy settings and why the level of enforcement is so critical?
Sure. DMARC has three main policy settings: ‘p=none,’ ‘p=quarantine,’ and ‘p=reject.’ With ‘p=none,’ the system simply logs suspicious emails without taking action—it’s like watching a burglar walk by without stopping them. ‘P=quarantine’ flags suspicious emails and often sends them to a spam folder for review. The strongest setting, ‘p=reject,’ outright blocks unauthorized emails from reaching the recipient. Enforcement level matters because weaker settings don’t prevent attacks; they just provide visibility. Only a strict policy like ‘reject’ actively protects your domain and users from phishing.
With AI and social engineering making phishing emails harder to detect, how have these technologies changed the landscape for cybercriminals?
AI has been a game-changer for cybercriminals. It’s lowered the barrier to entry by automating the creation of convincing emails with perfect grammar, tone, and even personalized content. Social engineering tactics have also become more sophisticated—attackers can mimic the style of a CEO or a trusted vendor, timing their messages to exploit urgency or trust. This means even tech-savvy individuals can fall for these scams, making technical solutions like DMARC more essential than ever to stop these emails before they reach the inbox.
Can you share a real-world example where weak email security led to significant financial or reputational damage?
Absolutely. A recent case involved a major retailer falling victim to a social engineering scam through email. Attackers impersonated a trusted entity so convincingly that the company suffered potential losses of up to £300 million in operating profit. This wasn’t a high-tech hack; it was a simple spoofed email that exploited a lack of proper authentication protocols. It’s a stark reminder that without strong email security, even large organizations can suffer devastating consequences from a single phishing attempt.
What kind of impact have you observed in regions like the United States where stronger DMARC enforcement has been encouraged through regulations or provider policies?
The impact has been significant. In the U.S., where both regulations and email provider policies have pushed for stricter DMARC adoption, we’ve seen phishing email acceptance rates drop dramatically over just a couple of years. This shows that when enforcement is prioritized—whether through mandates or provider requirements—it directly reduces the success of phishing attacks. It’s proof that technical measures, backed by policy, can shift the balance in favor of security.
Major email providers are now enforcing DMARC for bulk senders. What do you think prompted them to take this initiative without waiting for government intervention?
I think it’s a combination of responsibility and self-interest. Providers like Google, Yahoo, and Microsoft handle massive volumes of email traffic, and phishing attacks create a huge burden on their systems and users. By enforcing DMARC, they’re proactively reducing spam and fraud, which improves user trust and reduces support costs. It also positions them as leaders in security, showing they can drive change without waiting for slow-moving government regulations. It’s a bold move that’s pushing the entire industry forward.
How would you address organizations that believe staff training alone can prevent phishing attacks?
I’d tell them that while training is important, it’s not enough. Human error is inevitable, especially with today’s hyper-realistic phishing emails. No amount of vigilance can stop an email that looks like it’s from your own CEO or a trusted partner. Technical solutions like DMARC are critical because they address the problem at the source—by preventing fraudulent emails from ever reaching the inbox. Training and technology have to work hand in hand; relying on just one leaves you exposed.
What are the dangers of treating DMARC as a one-time setup rather than an ongoing process to manage and update?
Treating DMARC as a “set it and forget it” solution is a big mistake. Email systems evolve—new senders get added, configurations change, and attackers find new ways to exploit gaps. If you don’t actively monitor and adjust your DMARC policy, you risk misconfigurations that could block legitimate emails or, worse, fail to block malicious ones. Without ongoing management, you’re not adapting to the threat landscape, and your initial setup becomes outdated and ineffective over time.
You’ve highlighted a disconnect between email providers, regulations, and business readiness. Can you elaborate on what this gap looks like in practice?
Certainly. Email providers are moving fast, enforcing strict authentication standards to combat phishing. Meanwhile, many businesses are stuck in a compliance mindset—doing the bare minimum to avoid email delivery issues rather than focusing on real security. On the regulatory side, there’s often a lag; laws and mandates haven’t caught up with the pace of provider changes or evolving threats. This creates a fragmented landscape where providers are ahead, businesses are behind, and regulations aren’t bridging the gap effectively.
What practical steps can businesses take today to shift from merely complying with DMARC to truly prioritizing email security?
First, start by assessing your current DMARC setup—check if you even have a policy in place and what level it’s set to. Then, gradually move toward a stricter policy like ‘p=reject,’ but do it thoughtfully by monitoring reports to avoid blocking legitimate emails. Partner with IT experts or use tools to simplify the process if resources are tight. Finally, commit to regular reviews of your email authentication settings and educate your team on why this matters. It’s about building a culture of security, not just checking a box.
Given how well-equipped cybercriminals are becoming, how critical is it for organizations to prioritize email security over other cybersecurity measures?
Email security should be at the top of the list because it’s often the entry point for broader attacks. Phishing emails can lead to ransomware, data breaches, or financial fraud—issues that ripple across an entire organization. While other areas like network security are vital, email is uniquely vulnerable due to its widespread use and the trust users place in it. If you don’t secure email, you’re leaving the front door unlocked, no matter how strong the rest of your defenses are.
Finally, what’s your forecast for the future of email security as threats continue to evolve?
I believe email security will become increasingly automated and integrated with AI-driven threat detection. We’ll see more intelligent systems that not only authenticate emails but also analyze behavior and context in real-time to flag risks. I also expect stronger collaboration between providers, businesses, and regulators to standardize enforcement globally. However, as threats evolve, the cat-and-mouse game with cybercriminals will continue. Organizations that stay proactive—adopting and maintaining robust protocols like DMARC—will be the ones best positioned to stay ahead of the curve.