9 Reasons Why Companies Resist Implementing DMARC

DMARC (Domain-based Message Authentication Reporting and Conformance) has been in the frame of email security since 2013, and still, a wide range of companies and organizations haven’t adopted it. As per a survey, the SaaS 1000 sector has the best DMARC adoption, which is 46%. It’s not even 50%, and mind you, we are talking about the sector with the highest adoption rate!  

The situation is worse in the legislative and judiciary branches, with 17.3% and 13% adoption rates, respectively. 

On speaking with some cross-industry giants, we came across the following reasons that have been impeding them from implementing DMARC even in 2023.

Why Companies Aren’t Sure to Implement DKIM?

DMARC works in accordance with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to protect your domains and subdomains from email spoofing and phishing. This subsequently shields your reputation and the flow of the sales funnel while keeping you and the email receivers away from ransomware attacks and legislation. In case of a data breach, GDPR and other bodies impose hefty fines due to your lack of securing and handling sensitive customer data/content in the desired way. 

Image sourced from comodosslstore.com

However, companies are still dubious about its deployment, primarily because of these reasons-

1. Fear of Disrupting Email Delivery

DMARC instructs recipients’ servers on what actions to take against illegitimate email messages sent from your organization’s domain. You can choose one of the three DMARC policies: none, quarantine, and reject.

Setting the strictest policy, that is p=reject, offers the best protection against malicious email senders trying to send phishing and spoofing emails in your company’s name. However, at times, the reject policy mentioned in the DMARC DNS record is implemented to genuine email conversations, resulting in the bouncing back of important messages. 

This disturbs the flow and quality of email delivery and communication, which consequently impacts operations at various levels. In some cases, even your brand’s reputation gets hit since the desired recipient didn’t receive the email message pertaining to customer support, order status, billing, updates to stakeholders, pitch decks, etc.


Don’t be in haste to shift to the strictest policy. Let your DMARC record be set to the p=quarantine policy till you are confident. Confidence comes from regular DMARC monitoring through RUF and RUA reports to evaluate the rate of false positives. 

2. Resource Constraints

For smaller organizations or those with limited IT resources, the prospect of implementing DMARC can be daunting. DMARC requires a coordinated effort across different teams, including IT, security, and marketing, and may involve changes to email systems and DNS records (domain name system records). Resource constraints, both in terms of personnel and budget, can make DMARC implementation appear impractical.


You can outsource the task to agencies specialized in DMARC monitoring and troubleshooting. Some reputed names include DuoCircle, a stop platform for message authentication through SPF and DMARC services

3. Perceived Complexity

DMARC is a fairly complex protocol, and this fact overwhelms and discourages companies from linking it to their email infrastructures. 


It’s suggested to give the responsibility to a DMARC service provider.

4. Resistance to Change

Resistance to change is the common barrier to the implementation of any new technology. Companies are comfortable with their current operational and security architecture, but little do they realize the limitations and vulnerabilities associated with outdated systems and technologies. 


Talk to company owners who have already been using DMARC for some time so that you gain some confidence, even if it comes with a pinch of skepticism. Also, plan a proper flow for its deployment across your email infrastructure. 

5. False Positives for Marketing Emails

False positives for marketing emails cause them to either bounce back or land in spam folders, neither of which are desirable from a marketing perspective. This significantly drops the chances that recipients would engage with your messages, thus impacting the marketing ROI

Moreover, emails sent using @yahoo.com, @aol.com, and @gmail.com fail DMARC authentication checks and hit the deliverability rate.


You can resolve this by using your custom domain to send marketing emails. This can be followed by implementing BIMI in addition to DMARC so that a trademarked logo shows up next to emails sent by you. These authentication methods boost engagement and validation rates for the domain owner. 

6. Staff Engaging in Shadow IT Expresses Disapproval of DMARC

Shadow IT is the practice of using tools, services, and devices that the company hasn’t sanctioned officially. Employees use them discreetly to make their work easy and speedy whilst boosting innovation and productivity. On the other side, shadow IT isn’t secured and often acts as a gateway for hackers.

Implementing DMARC enables you to detect the presence of such tools and even identify the individuals utilizing them. This is why employees engaged in shadow IT exhibit hesitation when it comes to complying with DMARC.


Eliminate the use of shadow IT implied in any form. 

7. Trouble in Overcoming the SPF DNS Lookup Limit

DMARC works on the basis of SPF and DKIM results. There’s a limitation of a maximum of 10 DNS lookups, and exceeding this causes your SPF record to go invalid, which consequently affects DMARC. Companies with an extensive email infrastructure find it challenging to stay within this limit.


Use AutoSPF’s services to automatically compress your SPF record and eliminate the need for multiple and frequent lookups. It works by replacing IP addresses with the corresponding domain names. 

8. Global Compliance Challenges

Cross-country data storage and email authentication come with global compliance challenges. If your workplace is located in Europe, adhering to GDPR, the most stringent global privacy and security regulation, is mandatory. Furthermore, numerous European private and public entities are cautious about transferring data abroad. Under GDPR’s privacy guidelines, even IP addresses are classified as personally identifiable information (PII).


Start receiving DMARC reports for domains and subdomains as per the regions where your emails are restricted.

9. DMARC Report Interpretation Challenge 

DMARC reports can be challenging to interpret due to technical complexity, varying report formats, large data volumes, and a lack of context. Additionally, incomplete or inconsistent data, the evolving threat landscape, and a shortage of user-friendly tools can make it difficult for organizations to derive actionable insights. Expertise in email security and authentication results is often required to make sense of DMARC reports effectively. 


Use online tools that convert these reports into an easy-to-comprehend format. DMARCReport’s full-featured API not only allows you to provision accounts but also to pull stats and reports into your own applications.

Overcoming Resistance to DMARC Implementation

While these reasons for resistance are valid, they should not deter organizations from implementing DMARC for their email server. The benefits of DMARC, including enhanced email security and protection from phishing attacks, far outweigh the initial challenges. You can also reach out to us to seek professional guidance and make the process easier.

Similar Posts