As a marketer, you must always safeguard the trust that customers have in your brand. This can be difficult, as a brand’s public perception is often shaped by things beyond your control. These days this includes spammers, phishers and other online criminals who misuse brands and exploit the customer trust they’ve built so carefully. Many marketers today are wondering what they can do to combat these evildoers.
One solution is DMARC (Domain-based Message Authentication, Reporting and Conformance), a new standard that builds on past spam-fighting tools and makes it easier for companies and brands to announce to the world how they want abuse of their email trust to be reported back to them.
Building on SPF and DKIM
DMARC expands on the powers of SenderID, Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM), tools that emerged in recent years to combat criminals who attempt to make malicious emails appear as if they’re coming from a trusted brand.
SPF allows recipients to be assured email is being sent from a mail server authorized by the domain sending the mail. DKIM cryptographically authenticates that the email originated with that domain and can be used to ensure that some or all of the email has not been tampered with since it was sent. By implementing SPF and DKIM, you can give recipients tools that automatically determine which emails really were authorized by you, and consign the rest to their spam filters.
The Power of DMARC
As helpful as SPF and DKIM are, there are limitations to these tools. For example, whether receiving mail servers support and enforce your SPF and DKIM rules is beyond your control. And even where receivers are enforcing your policy, there’s no standardized way to generate feedback to you on this process – a limitation that can create undesirable delays in discovering when large amounts of spam are being generated using your brand.
DMARC, working in conjunction with SPF, DKIM and other email best practices, helps solve these problems by:
- Offering the recipient’s server/email administrator clear instructions on how to handle email that’s flagged by SPF (reject, quarantine or let it through)
- Providing a unique email address for the recipient’s server/email administrator to send feedback to whenever email is flagged by SPF. This allows marketers to get crucial and immediate feedback if their brand is being abused.
- Enabling the sender to specify how both aggregate reports and individual forensic samples of spam can be sent back for examination. These reports can be generated in an XML format, allowing compilation of statistics if desired.
As powerful as DMARC is at helping protecting your brand, it’s important to note that it doesn’t solve all aspects of email abuse. For instance, it doesn’t address the issue of “cousin domains” where criminals register a domain that looks similar to yours (e.g. using the domain “example-orders.com” to pretend to be a transaction from example.com). And it doesn’t address manipulation of the “From” field.
But the positive impact is enormous, and the technology used is straightforward (DNS records and XML reports) and very easy to implement if you already have SPF and DKIM in place. One caveat: DMARC requires that the domain used on the “From” address on your emails aligns with the address used in your return path (the envelope). Even if you’re using SPF and DKIM already, you may need to adjust your DNS configuration for DMARC.
Silverpop partner ReturnPath has a free online DMARC record tool you can use to create the necessary DNS record. You’ll need the following items:
- Domain name: This should be the domain used in the “From” address of your mailings, often a subdomain of your company or brand domain. If it’s your root domain for your company, you should coordinate with your corporate email administrator on how to choose these settings. DMARC allows you to have different policies for different subdomains if desired, so the policy for your marketing emails can be different than the one chosen for corporate.
- Email address for receiving feedback: You’ll receive aggregate feedback and forensic information. You can provide two different addresses, or they can be the same if you wish.
- A policy for how recipient servers should deal with non-conforming email: You can choose from the following three options:
- “Reject”: Excise questionable email as quickly as possible.
- “Quarantine”: Hold non-conforming email in a special area of the mailbox where recipients can view the message without it actually being delivered to the inbox.
- “None”: Go ahead and deliver it. Choose this option to receive reports without affecting deliverability. We recommended this option during the initial DMARC test phase.
- A percentage of messages for which the policy is applied: If you’ve picked “Quarantine” or “Reject” and are concerned that deliverability might be impacted, you can advise receivers to apply the policy to only a percentage of messages.
Once you’ve filled out the form and chosen “Submit,” you’ll get a DMARC record that will look something like this:
v=DMARC1\; p=reject\; rua=mailto:email@example.com\; ruf=mailto:firstname.lastname@example.org\; rf=afrf\; pct=100\;
Share this with the DNS administrator for your company. He/she can create it as a TXT record in your name servers.
What to Expect
Once DMARC is in place, you’ll begin receiving reports from receiving domains who have applied your policy. Major vendors such as Gmail and Yahoo already support this, so you’ll start getting some reports almost immediately. The DMARC website has resources you can use to process the reports, such as sample scripts.
As a recipient, you should also encourage your corporate email administrators or vendors to support SPF, DKIM and DMARC for your own incoming email. This will help improve the overall email ecosystem and increase consumer confidence.
Thanks to Silverpop Support Deliverability Specialist Jeff Dellapina for contributing his insights to this post.
1) “Tricks Instead of Treats: Phishing Emails and Other Malicious Messages”