DMARC (Domain-based Message Authentication, Reporting and Conformance) was built to reduce email abuse, like phishing. It standardizes how email receivers perform email authentication using the existing SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) mechanisms. This article outlines 10 things you need to know about the DMARC email authentication standard.
1: Email authentication can save a company's brand
Email remains a vital communication channel that businesses use to acquire new customers and maintain existing relationships. Unfortunately, the email channel is also a popular target for cybercriminals. If organizations do not take the necessary precautions and deploy the latest email authentication standards, they can become susceptible to cyber attacks, including phishing. Not only can this cost a business millions of dollars, it can cause irreparable damage to a brand's reputation as a result of diminished customer trust.
2: No company is exempt from a phishing attack
No brand or vertical is exempt from problems caused by phishing. Well-known companies such as PayPal, Facebook, and GoDaddy aren't the only targets. Whether it be credit card data or email addresses, every business holds information that is attractive to cybercriminals. If that information can be monetized, they will take it. While several global email providers have already adopted DMARC standards, it is just as important for brands to implement DMARC so they can protect anyone receiving email from their domains.
3: DMARC was developed by industry leaders
Google, Microsoft, Facebook, LinkedIn, and Bank of America are just a few of the companies that came together to create the DMARC standard. Early on, they saw the need to address the problem of email fraud and the spoofing of generally trusted brands and domains. The support of such powerful organizations demonstrates the importance of reliable email authentication standards.
4: Authentication provides high business value
In the early days of email security, there was no concept of authentication. This flaw in design led to a high level of email abuse, which had a profound impact on businesses. With DMARC, businesses can increase user trust in emails that allege to come from their brand. In addition, DMARC gives businesses more visibility into consistent application of best practices, compliance assessment, and organizational risk points.
5: Millions of unauthenticated messages are rejected every month
Between November and December 2012, more than 325 million messages were rejected by mailbox providers for being unauthenticated. Not only does DMARC help protect your customers against phishing, but it also helps ensure that your messages reach your customers. Every time a message fails to reach its target destination, revenue is lost. By implementing authentication standards, email campaigns are better set up for success.
6: DMARC complements the existing email security ecosystem
SPF and DKIM were introduced in the early to mid 2000s to help reduce email fraud. While these two standards are powerful on their own, their effectiveness is limited due to a lack of visibility into who is sending email on behalf of an organization. DMARC leverages both SPF and DKIM to provide an extra layer of protection for a complete end-to-end email security solution. DMARC also relies on SPF and DKIM to determine the authenticity of messages.
7: Visibility gives control over illegitimate email
As a result of the collaborative effort between DMARC, SPF, and DKIM, organizations can now see whether their email is authenticating. This level of visibility is extremely important, as it allows organizations to create a policy to specify how Internet service providers (ISPs) and email service providers (ESPs) should process emails that fail the message authentication process -- either quarantining the email or blocking it entirely.
8: The standard is experiencing widespread adoption
Since launching in January 2012, DMARC now protects 60 percent of global mailboxes. That's 1.9 billion of the estimated 3.3 billion email boxes worldwide. In the U.S. specifically, DMARC protects 80 percent of consumer mailboxes. It has been adopted by leading global email providers as well as several top brands, including Twitter, Amazon, eBay, Facebook, Groupon, LinkedIn, YouTube, PayPal, and Yelp.
9: End users still don't know about DMARC
While DMARC is continuing to gain traction, most end users aren't familiar with the standard or the problems that can be caused by phishing. They also don't have a way to differentiate a real message from a well-phished message. The next phase of email authentication will be focused on giving the end user enhanced visibility into the authenticity of messages, perhaps with an infrastructure similar to the Extended Validation Certificates for SSL certificates today. Ultimately, there is still a lot of work to be done on behalf of the end user.
10: The bad guys are moving on to easier targets
DMARC has significantly improved problems caused by phishing for a number of organizations. For example, PayPal used to be one of the most phished brands on the planet. As a result of the company's effort to develop and implement DMARC, it's no longer in this position. It's still actively phished, but those messages aren't making it through to the inbox anymore at ISPs that are participating in DMARC. Unfortunately, cybercriminals still exist and they are moving on to those brands that haven't implemented DMARC because they're easier targets.