On Your DMARC, Get Set, Go! Putting Integrity into Your Email Security Policy, Part 2

Linda Musthaler
By | May 17, 2013

Posted in: Network Security Trends

In Part 1 of this post about the DMARC (Domain-based Message Authentication, Reporting and Conformance) standards for digital messaging integrity, Alec Peterson of Message Systems and Sam Masiello of Groupon, both representing DMARC.org, gave us great information about the new technical specification designed to reduce the phishing abuse of known and controlled domains. Today we pick up where we left off to discuss how companies use DMARC, what benefits they get from it, and what you can do to deploy this standard within your own organization.

Linda:  Is there evidence that using the DMARC specifications really helps to reduce spam and phishing emails?

Alec Peterson:  DMARC is not an anti-spam technology per se. When you look at the various unwanted messages you might get in your inbox – be it watch advertisements or fake Viagra – there are other technologies that speak to that and DMARC is not designed to be a silver bullet to deal with all messaging abuse. The specific abuse that DMARC is targeted against is the phishing abuse of known and controlled domains. That said, I can tell you that the DMARC standard was responsible for blocking 325 million unauthenticated messages in November and December 2012 alone. Certainly this had to have helped in reducing the receipt of malicious mail.

Linda:  Can you give an example of how a specific company uses the DMARC standard?

Alec Peterson:  If you think of an entity that would be prone to phishing, it would be PayPal. Before DMARC existed, PayPal was doing effectively what DMARC does but on an ad hoc basis with ISPs and carriers. They had relationships with some carriers to agree that if they got a message from PayPal and it was not authenticated, they were not to accept it.

They are very pleased with the ability to now officially make that happen using the DMARC standards. Now PayPal can have confidence that when they send messages to a service provider that subscribes to DMARC, a message that says it is from PayPal will not end up in the inbox unless it genuinely comes from PayPal. That is an incredibly powerful statement to make. What’s more, the reporting capability of DMARC gives them the ability to quantify that.

Linda:  For companies whose business model requires them to send a lot of email messages to customers and prospects, what are the benefits of DMARC?

Sam Masiello: DMARC provides both business and technical benefits. There really isn’t a lot of trust in email right now because there isn’t a good way for mail recipients to discern for themselves if an email is legitimate or not. One of the business benefits of DMARC is that it helps increase that consumer trust in the emails that are coming from your brand when you put that policy statement in place that says, “I am authenticating all of my mail, so help keep all of the bad emails out of recipients’ inboxes.”

A side effect of this is that over time, you start to increase your brand loyalty. Back in the day when PayPal was being phished all the time – they were the top phish brand on the Internet – people would not read any email that came from PayPal, whether it was legitimate or not, because they had no idea whether what they were reading was actually coming from PayPal or coming from a bad guy. When you use DMARC, over time you help people realize that your legitimate emails are the only ones getting into the inbox. This helps to increase your brand loyalty and decrease your brand erosion. This is critically important for companies that generate business through the emails they send to customers and prospects.

Another benefit is that, from a brand perspective, DMARC can give you visibility into who within your own organization is applying these email authentication best practices. Email authentication has been a best practice since 2004 when SPF first came about and 2005 when DKIM came about, but what there really hasn’t been on the part of the brand owners was the knowledge as to whether or not those best practices were being consistently applied across the organization. Now through the reporting capabilities that you get from DMARC, you can see what is legitimately coming from you and what is authenticating and what isn’t. That’s also important from a compliance perspective. For example, you can see if you have this marketing group acting on your behalf that is not following the policies you developed internally. From a business perspective, there’s a lot of power and benefit that the DMARC specification can provide to a company.

Alec Peterson:  From a technical perspective, there is now a formal way for ISPs and mailbox providers – the Comcasts, Googles and Yahoo!s of the world – to be able to confidently identify mail that’s coming from your domain at an Internet scale. This ad hoc arrangement that PayPal made with ISPs back in 2007 worked pretty well for them but that didn’t necessarily scale to the rest of the Internet. DMARC resolves that scaling issue.

Linda:  What else is important for Security Bistro readers to know?

Sam Masiello:  When the bad guys are out there setting up these phishing emails, no brand is immune from getting targeted by phishing attacks. Whether it is Bank of America or Groupon or even if it’s a small business, every business has information and customers that they want to protect. It’s important to note that this DMARC technology is something that was developed to protect businesses and brands of all sizes, not just the big guys. There has been a lot of support from that perspective on the part of the ISPs and the large brands. The fact that we have the support from the major mailbox providers and major ISPs to stop this problem shows that it’s a pretty big problem and it’s important to solve it, not only for the ISPs who are delivering these emails to the inboxes but also for the brands whose names are being tarnished every single day when the bad guys are out there trying to send out these phishing emails.

Linda:  So what is the call to action for my readers? What we want them to do?

Sam Masiello:  From the standpoint of being able to protect your brand, DMARC is something that you can deploy today because it has those two mechanisms. It has that reporting mechanism and it has that policy mechanism. The call to action is to deploy DMARC today and start getting visibility into where all of your legitimate mail is coming from and, if you have a phishing problem, you’ll see where all the phishing emails are coming from as well. Once you have that increased visibility, you can work toward deploying a policy so that the ISPs can start blocking mail that is not coming from you.

Alec Peterson:  I would call DMARC the compelling event that is giving you the tools that you need to make the integrity of your messaging an integral part of your information security policy.

Messaging has often been seen as having issues but until recently, we haven’t had the tools that we need to make meaningful steps in that direction. For a few years now, we’ve had the ability to set authentication standards but we haven’t had the ability to enforce the policy from an information security point of view. We see DMARC as the compelling event and you now have no excuse to not make messaging security a first-class member of your infosec policy. Now the tools are there and everybody’s using it and it’s time to really make that happen.


So there you have it, readers. Now you know the why’s and how’s of protecting your company’s brand by authenticating the integrity of your outbound email messages. To get information and resources to help you deploy DMARC today, go to www.dmarc.org. Check out the FAQ and the Resources pages.

You May Also Be Interested In: