DMARC was announced earlier this week. It is a proposal by major email players to unify email authentication. It is touted as a major game changer. Let’s see what it is.
Caveat: The spec was just published; I might have misunderstood some points. In such case, please email me or leave it in the comments and I’ll fix the post.
What is it?
- DMARC is a standard proposal. It does not seem implemented anywhere yet.
- It is here to help sort out all the authentication standards (SPF, DKIM, SenderID). DMARC allows a sender to specify which one it currently implements. For instance, a receiver has right now no way to know if a specific domain signs all its email with DKIM. What should it do if it receives an email with no DKIM?
- It is build on top of DKIM and SPF and specify which sender implement which.
- It specifies proper error handling in a standard and easy to manage way.
- It has no impact of spam handling process.
How does it work?
Sender specifies in a DNS entry which protocols they implement and what will they do in case of failure.For instance, in case of authentication failure, I can configure my DMARC entry so that the receiver will issue an ARF mail to a predefined URL.
- The Body FROM is the domain where DMARC should be stored. This makes it harder to spoof. But what will happen with superceding headers (e.g. Sender)?
- Ease detection and implementation of authentication and its failures.
- A third DNS entry to deploy for each sender as we still need to sign with DKIM and SPF.
- Phishing does not happen anymore with forged header (at least from what we see at CritSend). I am not so sure it’s useful
- A third DNS entry to deploy for each sender.
Consequence On Your Business
DMARC is supposed to help the transition to domain based reputation. It is trying to sort out the different authentication standard. In that aspect it’s working. I do regret these prestigious organizations have not addressed the real underlying issues: how to make emails easy to send again by anyone.
Nicolas Toper CritSend’s Founder