There have been a lot of conversations and questions within the industry lately about ways for email senders to protect themselves from malicious phishing attacks. The newest approach is a technical specification called DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”. DMARC was created by both senders (brands and ESPs) and receivers (ISPs) in order to effectively help brands protect the email channel by allowing receivers to easily determine if the message was actually sent by the brand who owns the domain in the from address.
The creation of this specification is one that we believe aligns closely with one of our core businesses here at Experian CheetahMail-eliminating messaging abuse and protecting recipients from the fraudulent behaviors of other senders. While we believe that this technology is something that all senders should investigate and eventually implement, we believe those that are in the financial services industry, or otherwise have witnessed phishing attacks against the brand, should be the first to determine their company’s strategy with regards to DMARC. For most companies this will involve working across different departments, such as marketing, IT and security.
For those of you that have been in the email industry for some time you might remember when Yahoo! created a special relationship with Ebay/PayPal to reject messages that were not signed with the DomainKeys authentication protocol and stop phishing emails that were coming into their system claiming to be from these companies. DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance” has taken that same premise and grown it. DMARC standardizes how email receivers validate messaging using the well-known SPF and DKIM authentication protocols. A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as deliver messaging to another folder such as spam or junk or reject the message altogether. DMARC removes some of the guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation so they can potentially take action against those fraudulent senders.
An important aspect of the DMARC specification that is unique as compared to other similar initiatives that have come out before it, is that it allows the sender to determine what the ISP’s should do with messages that fail, and it doesn’t have to be an all or nothing approach. There is also no charge for senders to implement this technology. A sender can simply tell the ISPs not to do anything with failed messages, to quarantine a certain percentage of the failed mail or fully block any messages that fail and claim to be from their brand.
Over the years I have seen a number of similar proposals come into our industry and it always seems as though we have a chicken and the egg issue. Usually what happens is the ISPs say that they will start checking for the newest form of authentication once enough senders are using it. While on the other hand the sender community says that it isn’t worth their time to implement something if none of the ISPs are checking for it. The great thing about DMARC is that not only was this created by both senders and receivers there are many folks on both sides that are already using and checking for it. We currently know of at least 4 of the largest receivers in the world that are either currently checking for DMARC policies or finalizing their implementation of it . There are also a number of senders that are already publishing these records and it will only continue to grow.
We believe DMARC is an important step in order to continue to ensure the on-going health of our email eco-system and an important implementation for many senders, especially those at risk of being spoofed or phished. Experian CheetahMail will continue to monitor any changes to this latest initiative, or any other new industry developments to reduce messaging abuse and work to ensure that you are kept up to date on any additional developments.
Learn more about the author, Spencer Kollas