A little over a year ago, a who’s who of leading Internet players announced the Domain-based Message Authentication, Reporting and Conformance (DMARC) working group, an industry-based approach to combating spam, phishing and other forms of messaging abuse. And on Feb. 6, its one-year anniversary, DMARC.org announced a rather amazing accomplishment: The DMARC standard now protects almost two-thirds of the world's 3.3 billion consumer mailboxes worldwide, and was responsible for blocking 325 million unauthenticated messages in November and December 2012 alone.
There are several reasons why marketers should start paying more attention to DMARC – if they haven’t already -- because it’s going to bring many positive changes to the way we conduct business online and through email.
First of all, DMARC is being advanced by the Internet’s largest brands, ISPs and email inbox providers (the receiving community), including Google, Facebook, Microsoft (Outlook.com), AOL and Yahoo! It’s also being embraced on the sender side by many big names in financial services like Bank of America, and JP Morgan Chase, online payment providers like PayPal, and many of the technology and infrastructure providers that keep the Internet running worldwide. Enthusiastic participation by these Internet giants is the key reason why broad adoption was achievable – and why marketers should understand the rewards of embracing the standard themselves.
It’s important to keep in mind that DMARC is designed not simply to combat spam and messaging abuse, but also to give email senders – meaning ecommerce providers, online merchants and marketers – a greater role in the anti-abuse cause.
By adopting a DMARC policy, marketers will be able to indicate to ISPs that their emails are protected by the SPF or DKIM authentication protocols, and tell the receiver how to handle that message if neither of those authentication methods passes. For instance, marketers could request that such email could be marked as junk or blocked altogether. In the past, ISPs on the receiving end had to make the decision whether to block or junk on their own without input from the sender.
This was problematic because for those brands using weak authentication (older domain key schemes used 512 bit encryption) it was relatively easy for malicious hackers to break these codes, forge the “From” address, and start sending out fraudulent email under a brand’s domain. The ISPs had no way of recognizing these messages as spam or phishing scams, and marketers often were completely unaware that their domain had been hacked until significant damage had been done. Under the new DMARC rules that call for more robust authentication – at least 1024-bit encryption – hackers will have far greater difficulty spoofing domains, ISPs will find it easier to recognize poorly authenticated messages as suspicious, and they will have a way to quickly alert senders that something might be wrong.
This is because DMARC also provides a mechanism for email receivers to send a daily report back to senders about messages that pass or fail DMARC evaluation. So by enabling senders to share handling preferences with ISPs, and creating a mutually beneficial information-sharing loop, much of the guesswork is removed from rooting out fraudulent messages. Widespread adoption of a single industry standard on the receiver side is a big part of what makes this all possible, and really relevant for US marketers.
So if you’re a marketer relying on in-house infrastructure for email sends, be sure to check that your IT team is planning to update DKIM and SPF policies to ensure compliance. If you work with an email service provider or marketing automation company, you’ll need to ensure that they have access to your DKIM keys in order to send email that will appear authenticated.
To learn more, check out these detailed guidelines for senders about DMARC compliance. Additionally, Return Path reports that Gmail is already failing DKIM for any key 512 and shorter, and it has also been reported it will soon begin failing keys shorter than 1024 also. That doesn’t necessarily mean your emails are going to be blocked right away (emails have to fail both DKIM and SPF to fail DMARC) but it’s clear that DMARC is very much the industry standard going forward.
DMARC protection seems only relevant for bulk email. If you only send one-to-one messages and triggered emails, up to say one thousand per day, then in my experience you don't need to worry. This is of course very sensible, because spammers get very low conversion rates can't make money unless they send in bulk.