If you’re an email marketer, I’m sure you’ve heard of a new acronym floating around the email industry: DMARC! Many marketers have been asking what this new acronym is and whether it will affect their sending practices. My goal today is to ease your worries and explain very simply what it is and why you might consider it. Let’s get started.
What Is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. DMARC standardizes how email receivers (ISPs) perform email authentication, and gives email senders feedback.
- For email senders, it is an email authentication add-on designed to fit within your existing inbound email authenticating process.
- In action, it tells the receiving server when a message is protected by SPF and/or DKIM.
- If you’re a sender, you can direct email receivers that: if they receive an email that appears to be from your domain – but is not authenticated –it should be put directly in the spam folder or rejected outright.
- With DMARC, email senders get feedback about the messages using their domain –both legitimate and bogus. This will help you track down anyone phishing your domain.
DMARC will help protect the mail recipients as well as the email senders from being victims of phishing or spoofed email attacks. It will prevent such attacks before they are able to reach the recipient’s inbox.
As a technical specification, DMARC is the result of a coalition of industries, organizations, and companies concerned with the safety of personal information and the protection of internet communications.
The Three Main Objectives of DMARC
1.) Confirm email authentication is being used (SPF, DKIM, Sender ID).
2.) Provide feedback about messages using your domain – legitimate or not.
3.) Apply a policy to messages that fail authentication (Do Nothing, Reject, Quarantine), and give the sender the ability to specify which is used.
The Importance of DMARC
- Senders are largely unaware what level of risk they have of being phished or spoofed. Most senders currently monitor only the delivery of their messages, not the fraudulent attempts using their domain identity. There are currently few to no tools in the industry to protect marketers against such attacks. DMARC helps with each of these.
- Emails have become easier to spoof. This means that your recipients are having a harder time identifying what is real and what is spoofed in their inbox. Given the widespread publicity about identity theft and related issues, recipients who are uncertain about an email’s authenticity are probably more likely to mark more emails as spam. If they do that with your email messages, it will lead to other delivery problems.
- Security attacks on people’s ultra-valuable personal information are becoming more prevalent – almost commonplace – in the industry. How many times in the last couple of years have you heard of companies being breached? How many of you have been affected personally? I was a victim of the Target breach, along with 110 million other individuals. (See also P.F. Chang’s, Neiman-Marcus, et alia in the Wall Street Journal.)
The Benefits of DMARC
- Allows senders to be proactive rather than reactive (an ounce of prevention is still worth a ton of cure, especially to your trusted brand. Target’s woes pushed out the CEO and affected stock prices, and that’s just the beginning).
- Protects senders and recipients from being victim of financial and personal information attacks
- Messages that phish or spoof your domain are blocked before ever reaching your customer’s inbox
- Decreases spam, which leads to an increase in the delivery of legitimate email
- Eliminates the guesswork on the handling of unauthenticated emails for ISPs
- Improves the sender’s overall relationships with ISPs and customers
- Gives the sender feedback that could lead to identifying the bad guys
How to Implement DMARC
1) You must have SPF and DKIM in place before DMARC authentication can be initiated
- SPF – Sender Policy Framework
- DKIM – Domain Keys Identified Mail
2) As a sender, you will need to define the DMARC policy in your company’s DNS (Domain Name Server) for your domain
- Senders set the appropriate policy (Reject, Quarantine, Do nothing) to tell ISPs how they would like them to handle the messages that fail authentication
3) Your DMARC Policy options:
- Do Nothing: essentially step 1 when implementing for the first time. Used at first as a net to catch and gather data, then identify trends and attack attempts (Monitor Mode).
- Quarantine: Messages are still sent to the end recipient but go to the quarantine/spam folder instead of the inbox. This lessens the likelihood of your recipients seeing the email.
- Reject: If DMARC fails then messages are rejected. Recipients will never see the email.
The diagram above shows how your message would be delivered and how a spoof would be treated, based on the checks the ISP makes and the DMARC policy settings your company chooses.
Investigating Problems
As part of incorporating DMARC, you sign up to receive a report that you can analyze to help identify companies and/or individuals whom are phishing or spoofing your domain. You should monitor these reports over a period of time (which will be different for every company). You can then start an investigation based on the information that you get back from the reports. Some companies investigate internally, then reach out to the hosting company of the domain/IP that is causing the issue, letting the hosting company deal with the issue. Other companies, such as financial institutions, might go further and start an FBI investigation.
All in all, DMARC is still fairly new to the industry, and many companies are in the “monitor mode” to analyze the information they are getting.
Third-Party Email Service Provider Issues
Several ISPs, such as Gmail, Yahoo!, and AOL, have recently set their policies to reject any mail that uses a company’s domain in the “From” address (e.g., “From: [email protected]”) if that email comes from a third party‘s server, instead of a “company.com” server. For a discussion of how that affects marketers, read this blog post that takes a look at Yahoo!’s practices.
Got questions? If you’re an Act-On customer, contact your Customer Success Manager. If you’re not an Act-On customer, check out the DMARC FAQs. Our Delivery Insight professional services group also can be of assistance.