DMARC: What It Is And Why You Need To Care
By now nearly everyone in the email industry has probably heard about DMARC, a coalition of leading companies like Google, PayPal and Microsoft. The goal of the group is to create a standard for how email authentication is handled so that brand owners can safeguard their domains from phishing.
There is also a fair amount of misunderstanding and confusion about DMARC. As one of the founding companies, Return Path has been heavily involved with the DMARC specification, so let me try to explain it here.
To start, let’s discuss what DMARC is not. DMARC is not a solution to the spam problem. Authentication has never had much to do with spam. Authentication, primarily Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), is only able to affirm that the domain an email is coming from is authenticated. So, for example, a criminal cannot authenticate the domain paypal.com, because that domain is owned and controlled by PayPal, Inc. Only PayPal, Inc. can authenticate that domain. However a spammer can register its own domain and authenticate it. Many do. And many send lots of spam off authenticated domains that they own. So DMARC does not end spamming.
DMARC also doesn’t totally eliminate phishing. Let’s go back to our example of paypal.com. DMARC would not prevent a criminal from registering a similar domain -- paypalbilling.com, for example -- and sending email from that domain. This is called “cousin domain” phishing and authentication is of limited use (what companies can do is register these lookalike domains, but there is clearly no end to the creativity of criminals). So DMARC doesn’t end all phishing.
But what DMARC does -- and this is quite significant -- is end criminals' ability to send email from a domain they don’t own. How important is this? Well, a version of the DMARC standard has been in use by PayPal and Google for approximately two years, and they have blocked up to 200,000 phishing messages a day. That’s one company (albeit a highly phished company) sending to one ISP. So it’s safe to say that domain phishing remains a big problem. And unlike “cousin domain” phishing, domain phishing does not leave a paper trail.
It’s also worth noting that DMARC has nothing to do with deliverability. Brand owners who use DMARC will not get a free pass to the inbox. The ISPs participating in DMARC have been very clear on this. Spammers can and do authenticate, so email that is properly authenticated with DMARC will still go through the normal filtering process and will be delivered, bulked or rejected based on the same reputation factors that they have always used to determine inbox placement.
But what it does for brand owners is give them control over their domains in way that they simply have never had. It does this by using existing technology, specifically SPF and DKIM. Until now these technologies have lacked a communication loop between senders and receivers. As it stands today, a sender who is authenticating email has no way to “tell” the receiving ISP that ALL messages from that domain are authenticated, and therefore ALL unauthenticated messages can be blocked. DMARC provides this communication mechanism and closes the loop between the sender who is authenticating messages and the receiver who is trying to interpret these records.
The good news is that it’s really easy to start testing out DMARC for your program. You can set up a DMARC record here and set the policy to “none” -- meaning you don’t want anyone blocking messages that aren’t authenticated. You will immediately begin receiving data from Google, which is up and running with DMARC. As the other ISPs fully implement the standard, you’ll begin getting reports from them as well. This will allow you to monitor your domains, figure out if you are properly authenticated and give you insight into whether or not your domain is under attack by cybercriminals.
You can also learn more about DMARC at the website www.dmarc.org. Check out the spec, read some of the media coverage and join the DMARC discuss list to talk directly with the companies who’ve been involved in bringing this standard to life.
What are your questions about DMARC? Leave comments below.
GEORGE BILBREY
George Bilbrey is president of Return Path and founder of the industry's first deliverability service provider. A recognized expert in email reputation and deliverability. George is active in many industry organizations, including the Messaging Anti-Abuse Working Group (MAAWG) and the Online Trust Alliance (OTA).
Recent Email Insider Articles
-
The Inattentive Consumer: How To Break Through To Mobile Subscribers May 14, 1 p.m.
As marketers, we have put a strong focus on building mobile programs over the past few ...
-
Mother's Day Hangover May 13, 1:15 p.m.
Post-Mother’s Day, and we made it through. While not quite the holiday retail rush that the ...
-
Parenting Advice For Email Marketers May 9, 3:04 p.m.
For decades, the evolution of email as a viable and proven marketing channel has been, in ...
-
Phishers' Kryptonite: Big Data May 8, 9:29 a.m.
Over the last few years, spam has become a “largely solved” problem. The average consumer sees ...
-
Go Ahead -- Send More Emails May 3, 12:04 a.m.
In fact, send a lot more emails. There, I said it. I feel better now. As ...
-
The Truths Your Email Metrics Don't Reveal May 1, 11:09 a.m.
When you read the latest email statistic as it comes through your news feed each day, ...
-
Email Before Breakfast -- And Other Trends April 29, 1:43 p.m.
I always say, I get more done before 9 a.m. than I do the rest of ...
-
Sending A Welcome Series Is The New Onboarding Differentiator April 23, 3:24 p.m.
The beginning of an email marketing relationship is the most important. Not only are subscribers more ...
-
Updating Email Acquisitions? Focus Further Down The Funnel April 18, 9:01 p.m.
For many companies, revenue or conversion activity mirrors something similar to the 80/20 rule, with 20% ...
-
How To Design Mobile Emails April 16, 4 p.m.
Mobile-enabled email has truly been the topic du jour for 2013 so far. A recent article ...
Be the first to comment on "DMARC: What It Is And Why You Need To Care "
Leave a Comment