After Hours

10 things you should know about DMARC's battle against email fraud

Supported by email providers like Google, Microsoft, and Yahoo -- and adopted by brands from Amazon to Zynga - DMARC is already protecting 60 percent of email boxes worldwide.

DMARC (Domain-based Message Authentication, Reporting and Conformance) was built to reduce email abuse, like phishing. It standardizes how email receivers perform email authentication using the existing SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) mechanisms. This article outlines 10 things you need to know about the DMARC email authentication standard.

1: Email authentication can save a company's brand

Email remains a vital communication channel that businesses use to acquire new customers and maintain existing relationships. Unfortunately, the email channel is also a popular target for cybercriminals. If organizations do not take the necessary precautions and deploy the latest email authentication standards, they can become susceptible to cyber attacks, including phishing. Not only can this cost a business millions of dollars, it can cause irreparable damage to a brand's reputation as a result of diminished customer trust.

2: No company is exempt from a phishing attack

No brand or vertical is exempt from problems caused by phishing. Well-known companies such as PayPal, Facebook, and GoDaddy aren't the only targets. Whether it be credit card data or email addresses, every business holds information that is attractive to cybercriminals. If that information can be monetized, they will take it. While several global email providers have already adopted DMARC standards, it is just as important for brands to implement DMARC so they can protect anyone receiving email from their domains.

3: DMARC was developed by industry leaders

Google, Microsoft, Facebook, LinkedIn, and Bank of America are just a few of the companies that came together to create the DMARC standard. Early on, they saw the need to address the problem of email fraud and the spoofing of generally trusted brands and domains. The support of such powerful organizations demonstrates the importance of reliable email authentication standards.

4: Authentication provides high business value

In the early days of email security, there was no concept of authentication. This flaw in design led to a high level of email abuse, which had a profound impact on businesses. With DMARC, businesses can increase user trust in emails that allege to come from their brand. In addition, DMARC gives businesses more visibility into consistent application of best practices, compliance assessment, and organizational risk points.

5: Millions of unauthenticated messages are rejected every month

Between November and December 2012, more than 325 million messages were rejected by mailbox providers for being unauthenticated. Not only does DMARC help protect your customers against phishing, but it also helps ensure that your messages reach your customers. Every time a message fails to reach its target destination, revenue is lost. By implementing authentication standards, email campaigns are better set up for success.

6: DMARC complements the existing email security ecosystem

SPF and DKIM were introduced in the early to mid 2000s to help reduce email fraud. While these two standards are powerful on their own, their effectiveness is limited due to a lack of visibility into who is sending email on behalf of an organization. DMARC leverages both SPF and DKIM to provide an extra layer of protection for a complete end-to-end email security solution. DMARC also relies on SPF and DKIM to determine the authenticity of messages.

7: Visibility gives control over illegitimate email

As a result of the collaborative effort between DMARC, SPF, and DKIM, organizations can now see whether their email is authenticating. This level of visibility is extremely important, as it allows organizations to create a policy to specify how Internet service providers (ISPs) and email service providers (ESPs) should process emails that fail the message authentication process -- either quarantining the email or blocking it entirely.

8: The standard is experiencing widespread adoption

Since launching in January 2012, DMARC now protects 60 percent of global mailboxes. That's 1.9 billion of the estimated 3.3 billion email boxes worldwide. In the U.S. specifically, DMARC protects 80 percent of consumer mailboxes. It has been adopted by leading global email providers as well as several top brands, including Twitter, Amazon, eBay, Facebook, Groupon, LinkedIn, YouTube, PayPal, and Yelp.

9: End users still don't know about DMARC

While DMARC is continuing to gain traction, most end users aren't familiar with the standard or the problems that can be caused by phishing. They also don't have a way to differentiate a real message from a well-phished message. The next phase of email authentication will be focused on giving the end user enhanced visibility into the authenticity of messages, perhaps with an infrastructure similar to the Extended Validation Certificates for SSL certificates today. Ultimately, there is still a lot of work to be done on behalf of the end user.

10: The bad guys are moving on to easier targets

DMARC has significantly improved problems caused by phishing for a number of organizations. For example, PayPal used to be one of the most phished brands on the planet. As a result of the company's effort to develop and implement DMARC, it's no longer in this position. It's still actively phished, but those messages aren't making it through to the inbox anymore at ISPs that are participating in DMARC. Unfortunately, cybercriminals still exist and they are moving on to those brands that haven't implemented DMARC because they're easier targets.

About the authors

Alec Peterson is CTO at Message Systems, leveraging more than 15 years of network engineering and design experience to advance the Message Systems technology vision. Sam Masiello is head of application security at Groupon. He has more than 20 years of email system and IT management experience, including over 10 years of SaaS and network and security systems management.

Automatically sign up for TechRepublic's 10 Things newsletter!

0 comments