5 Points Email Marketers Need to Understand About DMARC, Authentication and Phishing
Dawes says the method mail clients use to show recipients which messages are authenticated is up to them. Gmail uses "a gold key [symbol] for messages from highly spoofed domains that have DMARC enforced. We are currently evaluating whether to expand this going forward."
4. Implementing email authentication won't give marketers a license to send just anything. Masiello says: "DMARC does nothing to help with deliverability. Emails that are sent from domains with DMARC implemented are still subject to all the normal processes that ISPs use to filter incoming mail. Bottom line: Your email can still be blocked or bulked, even if you are fully authenticating."
5. Understand that email authentication, and DMARC specifically, is evolving. DMARC.org says: "By creating this feedback loop between ISPs and brands, DMARC allows brands to create policy statements that instruct ISPs to block or quarantine messages that aren't properly authenticated, providing the necessary framework to thwart phishing attempts and enabling widespread deployment of a trusted email ecosystem."
But Kucherawy says implementation may take a little time for organizations. "The creation of a policy statement is trivial, once the company decides what that policy should contain," he says. "Mechanically, it's about as simple as putting up a Web page. The company then just needs to ensure it's ready to receive the feedback that the policy statement will generate, including the possibility of rejected email.
"Most of the internal work comes in when developing a plan to watch what DMARC does and increase its strength as results are observed," he continues. "And then there's also a whole lot of internal infrastructure and auditing work to be undertaken if you haven't already deployed SPF and DKIM. It is very important to understand exactly what those protocols do and don't do before throwing the switch on a DMARC deployment. What exists today in the public domain is the draft specification for the protocol. What needs to be developed and deployed is the software that looks for and enacts the policy it discovers. The Trusted Domain Project has started this work and will release it as open source when it's ready for testing."