Domain-based Message Authentication, Reporting and Conformance (DMARC) is a relatively simple authentication method designed to combat the growing problem of spoofed emails, particularly those that are designed to fool receivers who are the targets of cybercriminals. Using DMARC, a sender can indicate that any emails they send are protected by either the SPF and/or DKIM authentication methods. A key element of DMARC is that the sender can also provide instructions on what to do if a message received is not protected by either method—e.g., send the message to quarantine or simply reject the message. The fundamental benefits of DMARC are that it allows a sender to demonstrate their authenticity to recipients, and it provides a systematic way of helping recipients to know what to do with emails that falsely purport to be from trusted senders.
One of the chief advantages of DMARC is that is removes the burden from the receiver of deciding what to do with a messages that fails to authenticate via SPF and/or DKIM, since the sender’s policy dictates what should be done with the failed message. Another key element of DMARC is that it provides a robust mechanism for receivers to report back to senders on the passed and failed messages that they receive from each sender. DMARC policies are part of the DNS system and available to anyone that wants to use them.
Although DMARC was announced only 13 months ago, its uptake has been significant in terms of the number of mailboxes that are now protected by it. According to DMARC.org, three out of five of the 3.3 billion consumer mailboxes around the world are protected by DMARC, and one-half of the domains with the highest email sending volumes have implemented DMARC or are in the process of doing so. Moreover, 70% of these leading sending domains have crafted policies directing recipients to take action against messages that are not authenticated. DMARC.org also reported that during the last two months of 2012, roughly 325 million messages were rejected based on DMARC policies—roughly 15% were from domains that are frequently phished.
DMARC is not a perfect solution to the problem of phishing. For example, it will not stop cybercriminals from creating and using variants of trusted domains—such as “eday.com” instead of “ebay.com” or “paypa1.com” instead of “paypal.com” (replacing the “l” with the numeral “1”). However, given the success it has demonstrated in its first 13 months, as well as the major email senders that are supporting, DMARC is a significant step in the right direction of combatting phishing and online fraud.