CIS Safeguard 9.5: Implement DMARC

Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation

In Catch Me If You Can (2002), Frank Abagnale successfully impersonates pilots, doctors, and lawyers—not by hacking systems, but by exploiting trust. People believe the uniform, the letterhead, and the signature. The deception works because there’s no reliable way to verify identity at a glance.

Email spoofing works the same way. Messages look legitimate, appear to come from trusted senders, and exploit the assumption that “if it looks right, it must be real.” CIS Safeguard 9.5: Implement DMARC exists to close that trust gap.

What Is CIS Safeguard 9.5?

CIS Safeguard 9.5: Implement DMARC is part of CIS Critical Security Control 9 – Email and Web Browser Protections. It requires organizations to:

• Implement DMARC (Domain-based Message Authentication, Reporting, and Conformance)
• Enforce DMARC policies to prevent spoofed emails
• Monitor DMARC reports to understand and improve email authentication

The purpose is clear:

Prevent attackers from successfully impersonating your domain in email-based attacks.

Why Email Spoofing Is So Effective

Email was not originally designed with strong sender authentication. As a result, attackers can easily forge the “From” address, making messages appear to come from:

• Executives
• Finance teams
• IT support
• Trusted partners
• Well-known brands

This fuels:

• Phishing attacks
• Business Email Compromise (BEC)
• Credential theft
• Fraud and wire transfer scams

Like Frank Abagnale’s forged checks, spoofed emails succeed not because they’re sophisticated—but because they exploit implicit trust.

What DMARC Actually Does

DMARC builds on two existing email authentication standards:

• SPF (Sender Policy Framework): Who is allowed to send email for your domain
• DKIM (DomainKeys Identified Mail): Whether the message content has been altered

DMARC adds:

• Alignment: Ensures SPF/DKIM actually match the visible “From” domain
• Policy enforcement: Tells receivers what to do when authentication fails
• Reporting: Provides visibility into who is sending email on your behalf

In practical terms, DMARC allows domain owners to say:

“If an email claiming to be from us fails authentication, don’t deliver it.”

Why “Implement” Means More Than Turning It On

A DMARC record alone is not enough. CIS Safeguard 9.5 is explicit about implementation and enforcement.

DMARC policies progress through stages:

• p=none → monitor only
• p=quarantine → suspicious messages are flagged
• p=reject → unauthenticated messages are blocked outright

Organizations that stop at monitoring gain visibility—but no protection.

In Catch Me If You Can, Abagnale’s scams only end when institutions start verifying credentials instead of just observing suspicious behavior. DMARC works the same way: enforcement is what stops the fraud.

Threats Directly Mitigated by DMARC

1. Domain Spoofing

DMARC prevents attackers from sending emails that appear to come directly from your domain—protecting employees, customers, and partners.

2. Business Email Compromise (BEC)

Many BEC attacks rely on spoofed executive or finance emails. DMARC dramatically reduces the success rate of these attacks by blocking unauthenticated messages.

3. Brand and Reputation Abuse

Without DMARC, attackers can use your domain to scam others—damaging trust even if your internal systems are never compromised.

Visibility Through DMARC Reporting

One of DMARC’s most powerful features is reporting. DMARC reports reveal:

• Legitimate services sending email on your behalf
• Misconfigured systems
• Unauthorized or malicious senders
• Progress toward full enforcement

This visibility often surprises organizations—many discover unknown third-party senders they didn’t realize existed.

How Safeguard 9.5 Fits Into Control 9

CIS Control 9 focuses on reducing email and web-based risk:

• 9.1–9.4: Reduce exposure and execution paths
• 9.5: Protect identity and trust at the email domain level

Without DMARC, even the best phishing training and email filtering can be undermined by messages that appear fully legitimate.

Practical Implementation Tips

To implement CIS Safeguard 9.5 effectively:

1. Inventory All Legitimate Email Senders
   Marketing platforms, ticketing systems, SaaS tools, and alerting services all matter.
2. Start with Monitoring, But Don’t Stay There
   Use p=none to learn—then move to enforcement.
3. Review DMARC Reports Regularly
   Reports are intelligence, not noise.
4. Aim for p=reject
   That’s where real protection begins.

Final Thoughts

CIS Safeguard 9.5 exists because email identity without verification is just a costume. Attackers don’t need to break in—they just need to look convincing.

Spoofed emails thrive in environments where trust isn’t verified. DMARC provides that verification. It tells the world which messages are truly yours—and which ones are impostors.

And in a threat landscape dominated by phishing and fraud, that distinction is no longer optional.

Resources

Here’s a link to the Policy Templates provided free of charge from the fine folks at the Center for Internet Security:

Looking for even more details? Here you go. If this still doesn’t satisfy your curiosity, DM me.

CIS Control 9 – Email and Web Browser Protections

Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement

CIS Safeguard 9.5: Implement DMARC

To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.

Shameless Marketing Information

Gotham Technology Group offers professional and managed services to protect your organization with technologies such as Secure Email Gateway (SEG), Secure Web Gateway (SWG), Network Security (NGFW, Route, Switch, WAP), Secure Services Edge (SSE) and Secure Access Services Edge (SASE)