Tuesday, February 7, 2012
The media perhaps didn't get the full story -- it's not so much a "group" waiting for other people to sign up and join -- it’s more that a small group of smart folks (who, like us are already active in industry groups Online Trust Alliance and the Messaging Anti-Abuse Working Group) sat down and solidified the technical specifications for an add-on to email authentication that was already starting to be used.
DMARC is essentially an email authentication add-on that allows email senders to specify how ISPs should deal with unsigned (non-authenticated) or failed (broken authentication) email messages referencing that sender’s domain name.
If you’re at least somewhat familiar with anti-phishing efforts, you might remember that way back in 2007 and 2008, Paypal forged a partnership directly with Yahoo and Google to give Yahoo Mail and Gmail the ability to bulk folder or reject faked Paypal messages, helping to protect mail recipients from receiving and falling for phishing scams and spoofed messages. If they were going to embark upon this process today, DMARC would be the mechanism by which they would implement this “policy statement” regarding forged messages making reference to Paypal.
That, at a very high level, is what you do with DMARC.
Marketers want to know: Should they be using DMARC? The short answer is, "yes, but..." ExactTarget supports DMARC, as it is a significant and important step forward in the fight against phishing, and as we bring our first client live with DMARC today, I am sure that we will see (and assist) many more clients as they begin to utilize it in 2012. But, there are important things to consider before moving forward.
Before considering DMARC, you need properly working email authentication, preferably authenticating all email messages with both SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). (Something that ExactTarget's Sender Authentication Package handily provides.) You need to take into account every possible legitimate mail stream referencing your brand, including non-ET served messages, possibly even ones from corporate mail servers and other sources. If you don’t take care to account for these mail streams properly, it is possible that you’ll be accidentally tellings ISPs to reject legitimate messages. DMARC is a technology you should implement carefully and only after understanding how it all works.
We think that DMARC works best as a part of a Domain Assurance strategy. Our Domain Assurance partner, Return Path, is ready and able to guide you through the process, starting with identification and monitoring of your mail streams, then leading to properly and safely implementing DMARC to help provide ISPs with the data they need to be able to block or bulk folder unwanted, unsafe fake messages that didn’t really come from your brand or company.
Do you want to learn more about what DMARC is, how it affects marketers like you, how to deal with phishing-related issues, and whether or not it makes sense for you to utilize DMARC? Join our DMARC webcast at 2 p.m. Eastern on February 29, hosted by Sam Masiello of Return Path and myself. Click here to register or join, or click here to add the event notice to your address book.
Hope to see you there!