I'd put this in a different category than 2FA, password manager, or basic "watch out or phishing emails" training. All of those things can be enacted by the individual end-user if the organization doesn't enforce it. But it doesn't look like DMARC is something the individual can turn on or off--it's completely on their IT to set it up.
I'm not sure how easy it is to setup, either. Assuming they're paying for Office 365 or G-Suite for outlook/gmail on campaign domains, is that something that Microsoft and/or Google will turn on automatically for you?
To setup DMARC, you add a text record like _dmarc.example.com with content like "v=DMARC1; p=reject" (or perhaps a more permissive or canaried policy).
I am not sure if Google sets it up automatically. I have no memory of setting it up for my gsuite domain... but the record is there. I probably added it at some point though.
The advantage of DMARC against phishing is that people without access to your email server can't impersonate people in your organization. If you tried sending me an email with a "From: jon@jrock.us" header, it would be rejected by my server and I would never see it. This makes it much more difficult to spearphish someone. If you could send an email "this is your boss, look at the From: field, now click my link!", a lot of people would click that link. If the From: field is "spammer@phishing.invalid", you might think twice.
Wouldn't someone still be able to send mail from jon@jrơck.us and even have it pass DMARC and DKIM checks if they bought that domain? (last o being a ơ [ơ])
I wrote that fake address, I know where the defect is, and I can't spot the difference on my screen right now. It just looks like the other 50 specks of dirt on my laptop screen.
One common way to defend against a partial (or full) homograph attack is to have clients render IDNs as punycode. The downside is that it kinda pulls the plug on non-ascii domains. :-\
It has a reasonable workaround: check that all glyphs belong to the same writing system. That is, post.com should have all glyphs from Latin, почта.рф, all glyphs from Cyrillic, and ταχυδρομείο.ελληνικό must have all letters Greek. The fact that the Latin, Cyrillic, and Greek glyphs have same-looking glyphs like o or p is not dangerous if you can't mix them up.
That's a cool idea and will normally work, but won't prevent homograph attacks entirely. Identities can still be spoofed if they can be constructed entirely from glyphs in the intersection of two unicode blocks. E.g. `ΝΙΚΕ.ϹΟΜ` and `NIKE.COM`.
Yeah, I don't think DMARC helps with that. jon@jrơck.us won't key into the corporate directory, though, so someone should at least think something is amiss. (I thought my screen was dirty.)
Email security enforcement is not turned on automatically, but is relatively easy to set up for GSuite or Office365. Typically the easiest implementation is to create a DNS validation record. With that caveat, SPF and DKIM are easier to setup, because it's just creating a validation record. DMARC typically means that you're now getting 10-20 emails a day from major email providers all containing XML files that need to be analyzed. There aren't a ton of good solutions to analyze the contents of the XML files
Postmark has a free service that will handle the DMARC XML analysis for you, sending you a human-readable summary report once a week. (You don't have to be sending through Postmark to use it; I've been surprised at how many spammers attempt to spoof my personal domains.)
I set up dmarc some years ago. The xml files are kind of a pain, but you really only need to look at them for a couple days or weeks, then you can remove the reporting address from your dmarc record, because once you're convinced the config is correct, there is no actionable information in the reports.
Try an online generator such as https://dmarcian.com/dmarc-record-wizard/ to create one. No affiliation, just a well done generator I have used that walks you through the process.
With domains registered at Google Domains it's very easy to enable. All domain registers do not support it. Mayor Pete uses GoDaddy and very easy to setup at that register as well.
I'm not sure how easy it is to setup, either. Assuming they're paying for Office 365 or G-Suite for outlook/gmail on campaign domains, is that something that Microsoft and/or Google will turn on automatically for you?