DMARC: Another Step in the Fight Against Email Phishing
DMARC allows email senders to automatically tell email inbox providers when all of their servers are authenticated.
As a result, when unauthenticated email arrives at an ISP purporting to be from a company that has published a DMARC record, the ISPs can more readily identify it as phony and take appropriate action.
The DMARC specification also allows the sender to instruct the ISPs what they would like done with phony messages pretending to be from their brands, such as quarantine or block them.
"The gap that has always existed between authentication and having ISPs enforce policy has always been that the ISPs didn't necessarily know whether a big-brand dot-com was authenticating all of their email," said Sam Masiello, general manager, anti-phishing services, for email deliverability and security firm Return Path, one of the companies involved in drafting DMARC.
"They may see some authenticated email coming in," he added. "But what they don't know is whether all of the email from big-brand dot-com is authenticated. DMARC allows us to close the loop between the brand and the ISPs."
He added: "Now the big-brand dot-com can say: 'I know I'm authenticating all of my email and I want the ISPs to enforce a specific policy on email that is not authenticated."
The DMARC specification also allows senders to get unauthenticated email purporting to be from them forwarded to them.
"The brand gets visibility into what's authenticating and what's not," said Masiello. "As a result, the brand can see if the email that is not authenticating properly is an actual phishing attack or possibly a third-party vendor they're working with that is not [authenticating] properly."
Besides Return Path, organizations involved in developing the DMARC specification include leading email providers AOL, Gmail, Hotmail and Yahoo! Mail, some of the most highly phished brands including Bank of America, Fidelity Investments, PayPal, American Greetings, Facebook and LinkedIn, and email security concerns Agari, Cloudmark and Trusted Domain Project.
If there’s one word that most aptly describes Ken Magill’s coverage of online marketing, it’s fearless. For more than a decade, Magill has built a reputation for calling it like he sees it no matter who may get offended. Some marketers read his column just to make sure they’re not in it. In a trade-publishing market populated mostly by vendor representatives who must watch what they say, Magill stands out as the one guy who says what he thinks. Moreover, he often writes what others are thinking, but are afraid to say. He can even be very funny.
Having been a direct marketer, and having covered online marketing since 1997 for DM News, Direct, Chief Marketer and Multichannel Merchant magazines, Magill offers a unique, informed perspective on the evolution of digital selling. He was also founding editor of trade weekly iMarketing News and Magilla Marketing, a newsletter dedicated to e-mail.
He is currently founding editor of the recently launched trade weekly email newsletter The Magill Report.