5 Points Email Marketers Need to Understand About DMARC, Authentication and Phishing
It's tempting to point out that email authentication can be boring to marketers. And that many believe it's not in their job descriptions—despite all the efforts to bust down silos between departments. But all of that's obvious. Here's what many marketers may not realize about email authentication:
Proper email authentication not only makes sure marketers' messages get through, but that the fakes don't; thereby likely increasing revenue, says Sam Masiello, general manager and chief security officer at New York-based email performance management company Return Path. That's because spam and brand spoofs can really cut down on recipients' trust. "The more phished messages make it to the inbox, the more likely that brand's real emails will draw complaints, contributing to a decrease in email effectiveness rates and potentially lost revenue and customers."
To solve that problem, Return Path worked with 14 other email service and technology providers to create a mechanism that will allow authenticated email from marketers into the inbox and block out all the potential rulebreakers. Wigs and mustaches won't work anymore, Domain-based Message Authentication, Reporting and Conformance (DMARC) will be wise to all the spammers and phishers disguised as spoofed brands, according to the Jan. 30 announcement by DMARC.org, a technical working group dedicated to "developing standards for reducing the threat of deceptive emails, such as spam and phishing."
Masiello boils down what marketers can say once they implement DMARC: "Hey ISPs, my email is all set. Block anything that doesn't pass SPF and DKIM." (SPF stands for "sender policy framework" and DKIM is short for "domain keys identified mail.")
Providing more elaboration on the marketing benefits of DMARC are Masiello and:
- Adam Dawes, product manager at Mountain View, Calif.-based Google; and
- Murray S. Kucherawy, president and CEO of The Trusted Domain Project, a non-profit dedicated to "supporting research and development of open software and open standards."
1. Even if marketers don't want to implement email authentication themselves, they should at least make sure someone in the organization is doing it.
According to DMARC.org, which says it's got a solution to this situation: "Senders remain largely unaware of problems with their authentication practices because there's no scalable way for them to indicate they want feedback and where it should be sent."
Dawes says this is especially true at larger companies. "Mail environments can be very complex, involving many machines, multiple data centers and third-party providers (email marketing, campaign management, sales and support tools). Keeping track of this ever-changing environment is complex, and ensuring all pieces are doing the right thing [is] difficult."
Kucherawy cautions that marketers need to know that SPF, DKIM and DMARC are in place—not just one of the email authentication tools. "DMARC, as currently designed, can't work properly without at least one of SPF and DKIM (and preferably both) being deployed."
Dawes says organizations can go ahead and add DMARC now: "If a domain is 100 percent sure that they are signing all of their outbound mail (SPF breaks under certain circumstances, so you don't want to rely solely on it), you can publish a DMARC block record now and it will be observed at Gmail. Other DMARC.org members (Hotmail, Yahoo) are working on their own support."
2. Customers touched by spammers and phishers may be once burned, twice shy.
An overly spoofed brand may find customers marking legitimate email messages as spam, Masiello says. "Phishing does not affect deliverability directly, but we have seen evidence that the legitimate messages from highly phished brands can reduce engagement and generate more user complaints (the recipient confuses the real message with the fake ones and clicks the 'this is spam' button). Reduced engagement, combined with increased complaint rates, will affect reputation and reduce inbox placement rates (IPR)."
3. Even if email authentication is working wonderfully, marketers still need to write emails for humans.
They're the ones who will ultimately be determining what's real and what's fake. Kucherawy says, for instance, recipients know when a message from a certain domain seems out of context.
"There will probably be an automatic assumption that deploying DMARC means greater access to user inboxes," he says. "This isn't guaranteed, just as it wasn't guaranteed with DKIM and SPF. … "The bad guys can use an open standard just as easily as the good guys can."
Dawes says the method mail clients use to show recipients which messages are authenticated is up to them. Gmail uses "a gold key [symbol] for messages from highly spoofed domains that have DMARC enforced. We are currently evaluating whether to expand this going forward."
4. Implementing email authentication won't give marketers a license to send just anything. Masiello says: "DMARC does nothing to help with deliverability. Emails that are sent from domains with DMARC implemented are still subject to all the normal processes that ISPs use to filter incoming mail. Bottom line: Your email can still be blocked or bulked, even if you are fully authenticating."
5. Understand that email authentication, and DMARC specifically, is evolving. DMARC.org says: "By creating this feedback loop between ISPs and brands, DMARC allows brands to create policy statements that instruct ISPs to block or quarantine messages that aren't properly authenticated, providing the necessary framework to thwart phishing attempts and enabling widespread deployment of a trusted email ecosystem."
But Kucherawy says implementation may take a little time for organizations. "The creation of a policy statement is trivial, once the company decides what that policy should contain," he says. "Mechanically, it's about as simple as putting up a Web page. The company then just needs to ensure it's ready to receive the feedback that the policy statement will generate, including the possibility of rejected email.
"Most of the internal work comes in when developing a plan to watch what DMARC does and increase its strength as results are observed," he continues. "And then there's also a whole lot of internal infrastructure and auditing work to be undertaken if you haven't already deployed SPF and DKIM. It is very important to understand exactly what those protocols do and don't do before throwing the switch on a DMARC deployment. What exists today in the public domain is the draft specification for the protocol. What needs to be developed and deployed is the software that looks for and enacts the policy it discovers. The Trusted Domain Project has started this work and will release it as open source when it's ready for testing."