Social media platforms rise and fall – through it all email remains a primary communication channel. Many “email killer apps” are rolling out features that integrate email notification in the engagement process. In order to sign up to use such apps, the user is often required to have an email for authentication, identification and verification purposes. In fact, most “email killer apps” still rely on email as a primary notification channel. Herein lies the irony… as well as the need for online brand reputation.
Sam Masiello Head of Application Security, Groupon highlighted the important role email and DMARC continue to play in online communications today in the Best Practices track during Interact 2013.
Email is a pre-requisite to signing up for any online accounts and the gateway to your online life — which is precisely why cybercriminals continue to target email to gain access your personal information. Many forms of email authentication exist, one of which is ADSP (Author Domain Signing Practices), an extension to DKIM. None of these are perfect. ADSP for example, has key gaps with no reporting capability and visibility. It could only be used to set policy and was only adopted by one major provider as the standard – Google.
Unlike ADSP, DMARC enjoys the support of major ISPs and mailbox providers — one of the secrets to its success. DMARC celebrated its first birthday in January 2013, but was in development for two years before it was launched.
DMARC is an important part of the email ecosystem, and many global email providers and top senders of email have adopted DMARC. It protects 60% of global mail boxes or 1.9 billion mailboxes and 80% of consumer mail boxes. In Dec 2012, DMARC blocked 325 million messages.
Brands on the DMARC bandwagon include the following:
Groupon, for example, sees phishing attacks every day on their brand, but DMARC is helping to defend against these attacks. Cyber criminals are becoming increasingly sophisticated and it is getting harder to differentiate authentic emails. Sam illustrated this with an example:
Think this is from Groupon? Think again. While it looks uncannily similar to Groupon’s daily deals, the address should set off warning bells.
Groupon currently has DMARC deployed in 9 countries. Blizzard is another brand that has successfully deployed DMARC to increase brand trust and reduce consumer trust erosion after large scale phishing attacks.
Why Do We Need DMARC?
Threats to email security emerged due to the impact of poor SMTP design. SMTP was developed to send a message from Point A to Point B with no thought to security.
Other email authentication tactics do exist, but DMARC’s advantage here is that it complements the existing email ecosystem. It sits on top of DKIM and SPF, allowing you to get better value out of email authentication.
- SPF: Path-based authentication, authorized servers published via simple DNS record, low deployment cost
- DKIM: Signature-based authentication, requires cryptographic operation by email gateways, public keys published via DNS, can survive auto-forwarding
- DMARC: Leverages SPF and DKIM as authentication mechanisms, provides visibility, email senders set policy to declare how they want email receivers to process email that fails authentication
The Three D’s of DMARC
DMARC is for everyone, it’s easy to deploy and is not a deliverability tool. DMARC is not able to stop all phishing attacks, however it solves the problem of direct domain spoofing. Authentication has been trending in the direction of giving senders and receivers control and visibility over messaging streams.
The business value of DMARC includes:
- Increased user trust and loyalty in branded emails
- Visibility into consistent application of best practices
- Visibility into compliance assessment
The technical value of DMARC includes:
- A way for ISPs and mailbox providers to confidently identify your mail
- Support by major international ISPs and mailbox providers
- Ability to set policy on how you want ISPs to handle illegitimate email
- Feedback loop to understand where spoofed email is coming from and where your legitimate mail is failing authentication
Businesses do not have to authenticate all mail today to publish a DMARC record. DMARC protects your brand and it’s easy to get started. In the words of Sam,
DMARC deployment is a journey, not a destination.
To learn more about DMARC from Sam Masiello from Groupon, watch the Don’t Deprioritize DMARC webinar to discover the benefits of adopting DMARC email authentication!