If you have any interest in the latest news around email, email security, or phishing you’ve probably heard the buzz following up last week’s announcement of a new technology to help fight phishing and spoofing emails called DMARC (which stands for Domain-based Message Authentication, Reporting & Conformance). Along with all of the interest that we have seen both from the media and from the industry-at-large, I’ve still seen a fair amount of confusion around what DMARC currently is and is not. I wanted to take a couple of moments to help provide a bit more clarity on the topic as well as discuss some of the upcoming ways in which Return Path is helping to continually educate the email and security world on DMARC.
Let me start off by saying that I think the DMARC launch is an incredible step forward for the industry. Our data shows that despite the efforts that are being put into quickly identifying and stopping phishing emails today, frequently 10% or more still end up leaking through to end users. The open and engagement rates on these messages is very disturbing, frequently ranging from 5-25% of the messages that get delivered. Even with spam filters adapting to new attacks and takedown vendors quickly working to have phishing sites taken down, DMARC has the ability to assist companies that are targets of phishing to prevent these attacks from ever reaching user inboxes.
Phishing has far and wide reaching effects today damaging brand loyalty, hindering email marketing ROI, and costing real dollars to refund customers who have been victimized by an attack. Even though DMARC is not intended to stop all spam and phishing, I believe it presents an excellent solution to the problem of phishing attacks that are directly spoofing a brand’s domain and will be an important weapon in how companies are protecting their customers going forward. Given enough adoption by ISPs and brands alike, DMARC will force spammers to leverage other tactics in an attempt to trick people into giving up their sensitive information. By not being able to directly spoof their target’s domain their efforts will be less viable and reduce the effectiveness of phishing as an attack vector.
In an effort to continue the education process on the merits of DMARC, Return Path will be working with its ESP partners to develop a series of webcasts on how you can get ready for DMARC and how our product, Domain Assurance, can help you make sense of the data coming in from ISPs who support the technology. The first of these will be with Al Iverson from ExactTarget on February 29. Read Al’s blog post to learn more and to sign up for the webinar. In the meantime you can learn more about DMARC and create your own DMARC record here.
Only time will tell what the lasting effects of DMARC will be, but by encouraging adoption of the technology and having brands like Facebook, Paypal, Fidelity, Bank of America, and others as part of the team that founded the technology the warning shot has been fired. Spam and phishing is still an evolving problem and the protection measures being employed need to, and are, continuing to evolve to address the ongoing threat.