DMARC: Your Secret Weapon for Email Brand Protection
The world of email authentication is swimming with acronyms: SPD, SID, DK, DKIM. Let's add another one to the mix: DMARC. Domain-based message authentication, reporting and conformance (DMARC) was developed by 15 large industry players, including Microsoft, Yahoo, AOL and Return Path. DMARC isn't just another shiny new authentication protocol. No, it may be just what was missing all along to protect brands from being spoofed and phished.
DMARC is the answer to the following question all email and brand marketers’ have: I'm authenticating now, so why aren't internet service providers blocking all those emails pretending to be me? Sender Policy Framework (SPF) is published information that tells ISPs that the sending domain is authorized to send on behalf of the domain. Domain Keys Identified Mail (DKIM) is similar but uses a cryptographic approach. The problem with these two methods is that they didn't tell the ISPs what to do when the email didn't pass. This is where DMARC steps in.
DMARC, like SPF and DKIM, is published within the domain name system's (DNS) record of sender's domain name. It states exactly what to do with a domain that's published authentication records but doesn't pass. For example, you can specify that spoofed messages be blocked or even sent to the spam folder (if the ISP allows for that).
The best thing about DMARC is the built-in feedback mechanism. Those familiar with feedback loops for complaints will appreciate this. For every spoofed email that fails authentication, the domain owner will receive a report of the authentication failure. This is helpful because it provides greater visibility into phishing and spoofing attacks and allows brands to react more quickly before serious damage is done, minimizing any brand trust issues that typically arise from phishing and spoofing.
Here's what you need to do next to get started:
1. If you're not yet signing with SPF and DKIM, do that first. More than likely your domain or IT administrator will need to set this up, as well as the rest of the DMARC setup. If you're not sure you're using SPF, DKIM or DMARC, you can send a blank email to email@example.com and you'll get an immediate report on the results.
2. Create an email address that you'd like to receive DMARC authentication failures to, something like firstname.lastname@example.org. Any address will do.
3. Create your DMARC record. You can use this DMARC wizard tool to make it easy. I recommend keeping your Mail Receiver Policy to "none" until you're certain that all your domains and mail streams are properly authenticating. Otherwise, you'll be inadvertently blocking a lot of valid emails.
4. Publish the output of that record into the TXT portion of your DNS. Again, something your domain or IT admin will need to do.
5. That's it! You're done. Sit back and wait for the spoofing and phishing failures to come through to your specified address. If the failures are coming from your end, make sure you're correct before telling the ISPs to reject all failures.
If you'd like to learn more, the Online Trust Alliance is a great resource.
Related story: How to Avoid a Bloody Blacklist Removal Battle