5 Points Email Marketers Need to Understand About DMARC, Authentication and Phishing
Dawes says this is especially true at larger companies. "Mail environments can be very complex, involving many machines, multiple data centers and third-party providers (email marketing, campaign management, sales and support tools). Keeping track of this ever-changing environment is complex, and ensuring all pieces are doing the right thing [is] difficult."
Kucherawy cautions that marketers need to know that SPF, DKIM and DMARC are in place—not just one of the email authentication tools. "DMARC, as currently designed, can't work properly without at least one of SPF and DKIM (and preferably both) being deployed."
Dawes says organizations can go ahead and add DMARC now: "If a domain is 100 percent sure that they are signing all of their outbound mail (SPF breaks under certain circumstances, so you don't want to rely solely on it), you can publish a DMARC block record now and it will be observed at Gmail. Other DMARC.org members (Hotmail, Yahoo) are working on their own support."
2. Customers touched by spammers and phishers may be once burned, twice shy.
An overly spoofed brand may find customers marking legitimate email messages as spam, Masiello says. "Phishing does not affect deliverability directly, but we have seen evidence that the legitimate messages from highly phished brands can reduce engagement and generate more user complaints (the recipient confuses the real message with the fake ones and clicks the 'this is spam' button). Reduced engagement, combined with increased complaint rates, will affect reputation and reduce inbox placement rates (IPR)."
3. Even if email authentication is working wonderfully, marketers still need to write emails for humans.
They're the ones who will ultimately be determining what's real and what's fake. Kucherawy says, for instance, recipients know when a message from a certain domain seems out of context.
"There will probably be an automatic assumption that deploying DMARC means greater access to user inboxes," he says. "This isn't guaranteed, just as it wasn't guaranteed with DKIM and SPF. … "The bad guys can use an open standard just as easily as the good guys can."