DMARC: Flipping A Switch To Fight Email Fraud

Even a year ago, only days after the DMARC standard was officially unveiled, its impact on email marketers and other senders was already clear. Senders who’d been authenticating mail from their domains suddenly had better visibility into their subscribers’ experience and a powerful and easy way to protect their customers and brands from phishing and other email abuse. It worked from day one.

Today, thanks to widespread adoption by the mailbox provider community, DMARC covers more than 80% of consumer mailboxes in the U.S. and more than 60% of consumer mailboxes globally. So more than 2 billion mailboxes fall under DMARC’s protection, allowing marketers to stop a huge portion of the email fraud sent under their names, instantly. If you aren’t using already doing this, here’s how it works:

Using the DMARC standard, you can monitor whether messages attributed to your domains are properly authenticated. You can learn more about using SPF (here) and DKIM (here) to authenticate your email, but DMARC is something you can use even before you start authenticating. (Initially you’ll see that none of your email is authenticated.) Once your sending domains are authenticated, data from DMARC will show you what messages mailbox providers see from your domain, including those they can tell are coming from you, and those they can’t – suspicious messages. Some of the suspicious messages may come from domains you control if they’re not correctly authenticated, and DMARC will identify those. Other suspicious messages won’t be from your domains. These may be phishing attacks against your subscribers, sent under your name. Through DMARC you can tell mailbox providers to block these messages (and any that fail authentication).



That’s what DocuSign (a client) did earlier this month. The company’s electronic signature standard was the target of a large-scale phishing attack. Thanks to its early adoption of DMARC, DocuSign saw the attack happening in real time and quickly published a new DMARC policy, essentially telling mailbox providers to keep all unathenticated messages from DocuSign out of subscribers’ inboxes. Their quick action prevented thousands, if not millions of phishing attempts from reaching consumers.

Another early DMARC adopter, which routinely uses the standard to keep fraudulent messages out of consumers’ mailboxes, recently estimated that DMARC helped the company block 350,000 messages from bogus forwarding services and infrastructure that wasn’t theirs.

The list of companies already using DMARC includes top-tier brands like Apple, Amazon, Facebook, and Twitter – and ten of the 20 highest volume senders globally. Their efforts are keeping huge quantities of suspicious messages out of inboxes around the world – more than 325 million in November and December alone. As a result, their networks and mailbox providers’ networks are more secure – and, most important, subscribers’ trust in their brands and in the entire email ecosystem is stronger.

For marketers who haven’t begun authenticating or using DMARC yet, it’s time. Authentication now offers a tangible, immediate benefit that’s powerful and easy to realize. Through a few simple steps, you can use the standard to flip the switch today and watch a big chunk of email abuse disappear from your mailstream.


Next story loading loading..