DMARC: Another Step in the Fight Against Email Phishing
Is there any topic more certain to make a marketer’s eyes glaze over with boredom than email authentication?
Don’t answer. That was rhetorical.
However, there was an email-authentication-related development earlier this week that marketers who use email should take note of. It may begin to tip the scales in the battle against phishing—fraudulent email pretending to be from a well known brand in order to get users’ account information—in favor of the good guys.
A group of 15 of the Internet’s most well-known brands have unveiled a plan aimed at shoring up some of the shortcomings that have plagued the implementation and use of email authentication: Dubbed Domain-based Message Authentication, Reporting and Conformance, or DMARC (dee-mark).
The scheme is an extension of authentication, where senders publish certain information, such as which IP addresses are authorized to send messages on their brand’s behalf, so the ISPs can more readily identify email coming from those brands.
However, though authentication helps identify authorized senders, ISPs have apparently struggled with what to do with unauthenticated messages. The reason: Just because they’re not authenticated doesn’t necessarily mean they’re fraudulent.
For one thing, email authentication has not reached 100 percent adoption. Moreover, many emailers who have implemented email authentication have reportedly not authenticated all of their outbound messaging.
For example, a company’s marketing messages might be authenticated while its customer service or transactional messages are not.
And in instances where companies have authenticated all of their email, there is still the difficulty of informing all the various ISPs that the authentication process for a particular brand is complete.
Most companies don’t have the relationships with ISP abuse desk employees that would be necessary for them to communicate that any unauthenticated email purporting to come from their brand is probably phony.