If a company doesn’t have simple email protections like a DMARC policy, do they really take their cybersecurity seriously?

if-a-company-doesn’t-have-simple-email-protections-like-a-dmarc-policy,-do-they-really-take-their-cybersecurity-seriously?

Everyone knows that someone could be secretly watching you or your child with your webcam right now? Is it worth taking such a risk? camDown can help stop them!

The amount of security professionals that don’t understand the implications/complexities of implementing DMARC successfully is also alarming.

It was already mentioned elsewhere in the comments, but like other earlier protocols, SMTP was not designed with security in mind.

SPF/DKIM/DMARC were great for bootstrapping some core integrity/proof of ownership checks into SMTP, but they rely on information that doesn’t scale well with how digital marketing/cloud computing have evolved.

When you look at large organizations (esp retail orgs), it is relatively easy for me to justify why they might choose not to spend the time to implement DMARC. The goal of many of those companies is to make money and the security org is there to protect that goal. While DMARC is absolutely a tool that can drastically reduce risk, the org might have decided there are other tools in their stack to mitigate the risks more effectively.

tl;dr digital marketing/cloud computing make DMARC pretty challenging for some orgs to implement correctly and they might choose to spend their time implementing/tuning other tools in their stack to mitigate the risks that DMARC is intended to address

Don't forget that camDown helps stop foreign state actors (FSA's) from accessing your webcam and I know your smart friends would say the same.