Demystifying DMARC

DMARC.org recently announced the launch of a new supporter program to offer technical and financial assistance for the adoption of DMARC email authentication. 

The new Supporters program allows organizations to participate in and help improve DMARC.org’s technical programs, such as developing or enhancing protocols for email authentication and education programs, aimed at implementing DMARC worldwide.

Founding supporters of DMARC.org’s new program are SparkPost, a cloud-based email company, and ValiMail, a recently launched email security startup that provides a free DMARC online domain checker.

The first step toward global adoption of the DMARC standard may be to demystify the protocol, which is highly technical and often confusing for even the savviest of email marketing professionals.

Domain-based Message Authentication, Reporting & Conformance, otherwise known as DMARC, is an email authentication protocol designed to validate email senders and prevent email spoofing. It is built on SPF and DKIM protocols, which were originally developed over a decade ago. 

“DMARC is confusing because it's based on email standards that are ten years old and were written long before the cloud era we live in today,” says Alexander García-Tobar, CEO and cofounder of ValiMail. “Configuring them requires very specialized (some might even say arcane) knowledge.”

“Email evolved back when the Internet was used by a few thousand researchers and scientists, and they weren't concerned about security because everybody knew everybody else,” says Steve Jones, director of DMARC.org. “Bad actors were easily identified and, if necessary, punished."

He said that as the Internet grew to millions -- and ultimately billions -- of users, the industry had to add security to functions like email decades after they were developed. Retrofitting something isn't always easy, he said, when you're trying to address security concerns.

Yet DMARC is an incredibly important standard, and the repercussions of non-DMARC conformance can have wide-ranging consequences. DMARC can help protect companies from email-based phishing attempts, which can lead to financial fraud and brand harm.

The FBI recently revealed that more than $3 billion has been lost globally to CEO email fraud, or business email compromised (BEC), and cyberattacks are increasing year-over-year.

“In a perfect world, if every legitimate domain used a p=reject policy (effectively telling receiving domains and ISPs to discard mail that failed DKIM validation) it would massively decrease the ability of phishers & spammers from doing their dirty work,” says Len Shneyder, VP of Industry Relations at SparkPost.

Although a little geeky, Gmail and Microsoft announced intentions to implement a p=reject policy by the end of the month, but this could reduce marketers’ email delivery rates as DMARC conformance directly correlates to higher inbox placements. 

Next story loading loading..