As you probably know, senders can (for free) set up a DMARC record that lets them monitor the authentication of messages attributed to their domains and publish a policy instructing participating mailbox providers to quarantine or reject mail that fails authentication. As a marketer, that means you can tell just about every big mailbox provider to block unauthenticated (suspicious) messages sent under your name, instantly stopping an entire class of phishing attacks that use your brand.
The Yahoo decision instantly reduced all stakeholders’ vulnerability to scams involving phony Yahoo messages, a benefit that far outweighed the disruption caused by the new policy -- and it did inconvenience some legitimate users. But the precedent set by Yahoo can amplify this benefit well beyond its brand; in fact it already has, with AOL announcing its own shift to a DMARC reject policy soon after. Expect more major mailbox providers to follow suit shortly, pushing awareness of email abuse -- and, more important, creatingan easy way to mitigate it, into wider conversations in the marketing world.
Although email marketers often think of mailbox providers as a different class of stakeholder in their circles, conversations about email security highlight a fundamental similarity: They both have valuable brands whose protection is critical to their survival and success. Stemming phishing attacks will save money -- potentially, a lot of money -- associated with direct costs to clean up the damage. But maintaining users’ trust and the value of top-tier brands is the bigger driver of anti-fraud technology adoption.
It follows that Yahoo and others will raise awareness and nudge more big brands into taking steps to fight email abuse, a multiplying effect that will make policies and technology even stronger -- they all need buy-in across a critical mass of users to work. That’s good news for marketers.
The bad news is that with consumer awareness come consumer expectations, which occasionally are unreasonable. As people learn how email marketers they trust take steps to protect them (or don’t), they will inevitably expect us to do everything in our power to keep them from falling victim to fraud. Virtually every legitimate sender in the world wants to prevent fraud, of course, but it’s not so easy.
First, authentication-based solutions like DMARC can’t stop messages that don’t spoof actual sending domains, so those “from” variations or common misspellings of popular brands’ addresses slip through undetected. There are alternative approaches to catch these, but they’re not airtight yet either. Second, even free technology requires expertise and resources to implement -- neither is ever unlimited, so brand security initiatives like these face the same budget struggles that sideline competing marketing opportunities. To consumers pointing the finger at brands for failing to protect them, these sound like bad excuses even when they’re not.
Here’s what you can do today as a marketer and brand steward to get ahead of this issue. Start scoping what it will take to authenticate your messages. Get an inventory of your sending domains, which may include internal departments, external partners, subsidiaries, affiliates, and franchisees. Authentication and DMARC implementation can technically be done without incurring fees or outside expenses. Consultants and vendors can help a little or a lot depending on how much support you need.
If you start this quarter, you can easily be ready to prevent a significant amount of suspicious messaging from reaching consumers before Q4 and the holiday shopping season. As customers around the world demand more proactive security in their marketing relationships, you’ll be among the brands they trust to protect them.