By now nearly everyone in the email industry has probably heard about DMARC, a coalition of leading companies like Google, PayPal and Microsoft. The goal of the group is to create a standard for how email authentication is handled so that brand owners can safeguard their domains from phishing.
There is also a fair amount of misunderstanding and confusion about DMARC. As one of the founding companies, Return Path has been heavily involved with the DMARC specification, so let me try to explain it here.
To start, let’s discuss what DMARC is not. DMARC is not a solution to the spam problem. Authentication has never had much to do with spam. Authentication, primarily Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), is only able to affirm that the domain an email is coming from is authenticated. So, for example, a criminal cannot authenticate the domain paypal.com, because that domain is owned and controlled by PayPal, Inc. Only PayPal, Inc. can authenticate that domain. However a spammer can register its own domain and authenticate it. Many do. And many send lots of spam off authenticated domains that they own. So DMARC does not end spamming.
DMARC also doesn’t totally eliminate phishing. Let’s go back to our example of paypal.com. DMARC would not prevent a criminal from registering a similar domain -- paypalbilling.com, for example -- and sending email from that domain. This is called “cousin domain” phishing and authentication is of limited use (what companies can do is register these lookalike domains, but there is clearly no end to the creativity of criminals). So DMARC doesn’t end all phishing.
But what DMARC does -- and this is quite significant -- is end criminals' ability to send email from a domain they don’t own. How important is this? Well, a version of the DMARC standard has been in use by PayPal and Google for approximately two years, and they have blocked up to 200,000 phishing messages a day. That’s one company (albeit a highly phished company) sending to one ISP. So it’s safe to say that domain phishing remains a big problem. And unlike “cousin domain” phishing, domain phishing does not leave a paper trail.
It’s also worth noting that DMARC has nothing to do with deliverability. Brand owners who use DMARC will not get a free pass to the inbox. The ISPs participating in DMARC have been very clear on this. Spammers can and do authenticate, so email that is properly authenticated with DMARC will still go through the normal filtering process and will be delivered, bulked or rejected based on the same reputation factors that they have always used to determine inbox placement.
But what it does for brand owners is give them control over their domains in way that they simply have never had. It does this by using existing technology, specifically SPF and DKIM. Until now these technologies have lacked a communication loop between senders and receivers. As it stands today, a sender who is authenticating email has no way to “tell” the receiving ISP that ALL messages from that domain are authenticated, and therefore ALL unauthenticated messages can be blocked. DMARC provides this communication mechanism and closes the loop between the sender who is authenticating messages and the receiver who is trying to interpret these records.
The good news is that it’s really easy to start testing out DMARC for your program. You can set up a DMARC record here and set the policy to “none” -- meaning you don’t want anyone blocking messages that aren’t authenticated. You will immediately begin receiving data from Google, which is up and running with DMARC. As the other ISPs fully implement the standard, you’ll begin getting reports from them as well. This will allow you to monitor your domains, figure out if you are properly authenticated and give you insight into whether or not your domain is under attack by cybercriminals.
You can also learn more about DMARC at the website www.dmarc.org. Check out the spec, read some of the media coverage and join the DMARC discuss list to talk directly with the companies who’ve been involved in bringing this standard to life.
What are your questions about DMARC? Leave comments below.