As DMARC celebrates its second birthday as the most prominent anti-phishing breakthrough to date, it may be on the verge of creating an uncomfortable situation for email marketers. The standard (Domain-based Message Authentication, Reporting and Conformance) helps senders see unauthenticated and potentially fraudulent mail attributed to their domains, and then tell mailbox providers not to deliver it. It works because most big mailbox providers now support it: More than 80% of typical U.S. email users can be protected by DMARC. Some of the world’s biggest email senders, including Facebook, Twitter, eBay and PayPal -- and scores of others -- are reporting impressive strides toward protecting consumers from scams conducted in their names.
That’s what could soon become uncomfortable for marketers. There’s mounting evidence that as these senders make it more difficult to use their brands to dupe consumers, phishers are concentrating their efforts on brands that aren’t using DMARC. At the same time, in November RSA, the security division of data management and security provider EMC, reported a record number of phishing attacks ahead of the holiday shopping season. This surge further concentrates the risk among the least-protected senders.
Phishers still have plenty of highly recognized, trusted brands to target. Although many of the biggest online brands have been early DMARC adopters, consumer brands are lagging. Return Path recently examined a sample of 1.4 billion messages sent in 2014 to see which senders had implemented DMARC. Of the 20 highest-volume senders, 18 were using DMARC, and 14 had published a “reject” policy telling ISPs to block unauthenticated mail from them.
On the other hand fewer than 500 of the 10,000 biggest senders are blocking messages through DMARC; and only three of Interbrand’s top 100 global brands are doing this. Meanwhile, media attention increasingly raises awareness of high-profile phishing attacks against consumer brands. Even with this unwelcome spotlight on fraud, it’s safe to say that few consumers are aware of DMARC. That will probably change. As consumers and consumer advocates explore ways to reduce fraud, DMARC will become a big part of their focus.
As consumers become more aware of DMARC, they’ll also become more aware of which brands have implemented it, and which brands have not. Failing to take this relatively easy step to reduce fraud will then expand companies’ liability from a security risk to a marketing risk, as customers switch to brands they trust to protect themselves.
Email authentication and DMARC implementation don’t require significant effort or expense. Technically, they can be done without incurring costs beyond development time. On the other hand, building a brand is painfully expensive, and repairing a brand is exorbitant – and sometimes impossible. The good news is, there’s still time to avoid being exposed as a brand unwilling to protect consumers. If you haven’t begun to implement DMARC or publish a reject policy, do it today -- before your customers start asking uncomfortable questions.