Restoring Trust in Email

By Mark Kennedy

Despite the dominance of social media as the marketing channel of choice, email is still a fundamental pillar of communication for B2B and B2C companies. The effectiveness of email depends on the customer’s ability to trust the emails they receive—but with more than 100 billion spam messages sent out every single day, how can clients know that the genuine emails you send are really from you, and not another phishing scam?

The good news is that there is a standard that helps ensure that the emails your customers, partners, and employees receive from your domains are legitimate. It’s called the Domain Message Authentication Reporting and Conformance (DMARC) standard. And it’s been used by most major email providers, including AOL, Gmail, Hotmail, and Yahoo Mail, since 2011.

Email providers are serious about proactively protecting their users from phishing and spoofing—that’s why they got together and created the DMARC standard six years ago. Today, roughly 70% of the world’s consumer inboxes are DMARC-compliant.

The concept of DMARC can be confusing, so let’s focus on the essentials.

Email is effective only if it reaches people, is trusted by them, and is not relegated to the junk mail folder.

A lack of trust in our email communication can lead to missed sales and marketing opportunities, not to mention the reputational damage that occurs when fraudsters masquerade as your brand. What DMARC does is provide a guarantee that emails you send from your domain reach client and employee inboxes, because recipients know that the emails are indeed from you.

DMARC uses existing email identification technology to make a judgement about an email’s source.

Among other things, it looks specifically at the identifier in the From header of an email—the portion of an email address, for example. That’s because cybercriminals can forge the From header of an email so that it looks like it comes from a legitimate domain, when in fact, it is spoofed and really comes from someone or someplace else, likely with malicious intent.

To address that risk, the DMARC authentication standard provides information about email, so that senders can confirm to email providers that the sender’s identity matches the domain where emails should be coming from. DMARC makes sure these two items are aligned, and then gives instructions about what email providers should do when message headers don’t match up.

What happens when an email is not authenticated with a domain match?

DMARC offers three possible instructions for how email providers should respond.

1. T he first policy option is to go into “monitor” mode. In this mode, nothing about email delivery changes. The benefit of monitor mode is that it provides visibility. Organizations can see which unauthenticated messages are being sent in their name, but delivery of those emails is not interrupted.

Companies just getting their feet wet with DMARC are best to begin in monitor mode, especially if they are concerned about anything that blocks emails right off the bat. By implementing DMARC, nothing needs to change right away. Organizations will simply have more information that will enable them to make an informed decision about what to do next, especially if spammers and scammers are spoofing their brand.

Once familiarized with the protocol, banks can start to get more active in directing their email traffic.

2. The second DMARC policy option is “quarantine” mode. This instruction directs all suspicious or unauthenticated emails go to your customers’ and employees’ junk mail folder.

3. The third policy option combines the quarantine function with a “reject” function. This ensures that emails from unauthenticated servers are never received at all. This is ideal for firms that have had experience with the quarantine function, and have had visibility into who was sending emails from their domain, legitimately or otherwise. At that point, they should feel comfortable progressing to the more stringent “quarantine-reject” mode. That is to say, once you are certain that all of your servers sending emails on your domain’s behalf are accounted for, you can reject the ones that are not, so that potentially harmful emails don’t even appear in people’s junk mail folders.

How well does DMARC filter out spoofed messages?

Here are some facts and figures from

  • When prominent brands like Facebook, PayPal, and Twitter implemented DMARC in 2014, they saw phishing email imitating their brand drop by 50%.
  • Twitter reported nearly 110 million messages per day were spoofing its domains prior to deploying DMARC. This was reduced to only 1,000 per day after putting in place DMARC.
  • A number of leading financial institutions adopted DMARC in 2015, including American Express, Bank of America, Chase Bank, Citibank, Discover Financial, Fidelity Investments, VISA, Wachovia and Wells Fargo.

Of course, implementing DMARC will require some cross-collaboration with your IT team. You and your IT and fraud teams will all benefit from the valuable data received from the world’s biggest email providers, and the insight of who is sending legitimate and illegitimate email from your domain.

While DMARC adoption as a stand-alone tool is not a complete fraud solution, it remains the gold standard for restoring trust in email. You can check here to see if your domain currently has a DMARC record, and if not, you may want to speak to your IT department about implementing the standard.

Some more key DMARC statistics.

  • 2.5 billion mailboxes are protected by DMARC worldwide, or 70% of all mailboxes in existence.
  • There’s been a 122% increase in the number of users who have sent 100 or more DMARC reports.
  • There’s also been a 24% year-over-year increase in DMARC adoption across 1,000 top global brands.

What does the future hold for DMARC?

In February 2016, Google announced that it will provide a visual indication of whether a sender’s identity can be trusted in its Gmail interface. intends to take this a step further by collaborating with mailbox providers to develop a standardized indicator that visually flags messages sent to consumers that fail the authentication process. This will remove the guesswork and deliver a safer, more transparent email experience for end users by making them aware of good versus bad email that reaches their inbox.

This has implications for marketers and will drive brands to implement the latest authentication protocols more broadly in order to maintain positive subscriber engagement for their email marketing campaigns. Much of email marketing has been put at risk by the rise of spam and phishing. But as companies come to realize the benefits of not only adopting DMARC, but doing so in an active way, unwanted and dangerous emails may become a thing of the past.

Mark Kennedy is a marketing writer at Easy Solutions, Inc., a provider of electronic security and fraud prevention across all devices, channels, and clouds.