Last month, a new email authentication specification was announced by a group of 15 email services providers, financial firms and message security companies, including Bank of America, Google Inc., LinkedIn, Microsoft Corp. and Return Path. Domain-based Message Authentication, Reporting & Conformance,, or DMARC, was designed to thwart would-be phishers and criminals by allowing senders and recipients to communicate email authentication information among each other.
DMARC works in conjunction with previously announced email authentication standards Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), two technologies that authenticate a sender's domain so that only messages coming from a specific domain—not spoofed messages—get delivered. (Spoofing occurs when a malicious sender creates email messages that appear to be coming from someone else's domain. Recipients who believe they have received a message from a trusted sender then open the message and click on links, opening a gateway into their accounts, computers or networks.) According to the Online Trust Alliance (OTA), more than 125 million people were affected by data loss incidents, many of which originated via phishing schemes.
The specification requires a multistep authentication. The emailer's server inserts a special DKIM header that identifies it as coming from the sender (or its ESP). When the email is received by the recipient's email server, it goes through standard
validation tests, including IP block lists, reputation lists and rate limits. That server then requests SPF, DKIM and DMARC information from the domain owner's DNS server. Once that information comes back, it can be validated and the email either passes through to the recipient, is quarantined or blocked. A failure report is sent to the domain owner if either SPF or DKIM authentication failed.
DMARC was started, Patrick Peterson, one of the organization's founding members, said because there is an overwhelming frustration with the state of email and email trust. “Criminals think that email is the goose that keeps on laying,” said Peterson, who is also the CEO of email security company Agari Data. “There's an overall loss of trust in brands and of the online channels. If someone can't figure out if something is legitimate or not, they are just going to delete it.”
Today, DMARC is already being widely deployed in the b-to-c market, but b-to-b marketers and companies have been slower to deploy the standard, Peterson said. Less than 50% of all b-to-b marketers have taken initial steps toward DMARC compliance, he said.
To begin, he suggested that a company determine how its domain is being used—or abused—before it gets started protecting it. His company, Agari, provides a free DMARC domain assessment report that provides a brand vulnerability report card and DMARC record-creation tools. It also offers a brand impact assessment based on phishing attacks that have already happened against a domain. “All you have to do is give us your domain and prove that you work at the company,” he said.