There is a phrase in the sales and marketing world coined by Gary Vaynerchuck that marketeers ruin everything. What he means by this is that every time we find a new channel of any kind that has people’s attention, marketers will find it and find ways to abuse it.
Email is the perfect example of this. Emailing is an amazing utility enabling people to communicate both personally and professionally. At first, marketers started having some success selling via email as we were paying a lot of attention to our inboxes and there was very little competition.
Gary Vaynerchuck was one of those and has boasted of email opening rates in the 80-90% range. However, marketers soon caught on and would start sending out bulk emails instead of individual personalised ones. The reason was simple, there was practically zero cost to these emails in comparison to other marketing channels like print. There was no limit to how many emails you could send so they sent lots of emails to lots of people and soon email spam become the problem we have every day of our lives today.
How do you stop spam?
Over the years there have been many attempts to stop spam email from clogging up our inboxes. Most of the solutions today are email filters that not only try and catch the spam email but also any email that could contain viruses, malware and any other digital nasties. These services vary in effectiveness and sometimes are too good and will block email we want to receive. This can be solved with some tweaking of the filters until you get a good balance. Here at BCS we recommend Reflexion from Sophos and find it to be an excellent service that keeps our inboxes clean and tidy.
Using technology to solve the problem
There have been a few attempts at solving spam by getting email providers and technology providers to get the incoming and outgoing email servers to talk to each other and effectively having a virtual doorman so if you don’t have the appropriate ID, your email is not getting through. This is done digitally and works by the email sender proving they are who they say they are with a digital ID that confirms this. This combats those that mask the email address so it looks like it is coming from another person or company. By trying to mask an email without ID the email is simply quarantined or rejected. These policies are called Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Both go a huge way to solving spam and other unwanted emails getting to our inboxes however adoption has proved slow due to the lack of feedback offered in these systems. Email administrators were concerned about genuine emails not getting through, with no way to monitor this. These systems also send no information back to the sender should their email had been blocked
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It in fact sits on top of SPF and DKIM. What DMARC brings to the table is the ability control, test and monitor the emails that are received, blocked or quarantined. It also enables the sender to receive feedback as to why their message was blocked.
Why do we need DMARC?
Currently, every company handles email differently. Some use SPF, some use DKIM, many use none. This makes it very hard for email senders to know if an email is going to meet the criteria of the receiver as everyone is set-up differently. DMARC provides a standard that email senders can put in place to ensure their email is received, and that standard is created so all email senders and receivers are validating in the same way.
How does it work?
In simple terms, it enables an email sender to indicate that their emails are protected by either SPF, DKIM or both. It also provides instructions on what to do if the message is rejected or quarantined. This takes out the guesswork for email administrators, safe in the knowledge that only genuine verified emails will make it to your inbox.
From the email senders side, each email is sent on with a note declaring their DMARC credentials that prove that the email has, in fact, come from that domain. It also provides the receiver with an email address so that if the email is rejected or quarantined the sender can be notified why.
From the receiver’s side your email server will check each email as it arrives and request their DMARC credentials and depending on how each one is set up will do one of the following:
- Record the DMARC credentials and allow the email to pass
- Record the lack of DMARC credentials and allow the email to pass
- Record the lack of DMARC credentials, quarantine the email and send a notification to the sender
- Record the lack of DMARC credentials, block the email and then send a notification to the sender.
Does this mean I do not need a spam filtering service?
Quite the opposite, DMARC does not stop emails that are infected. It only ensures that they are who they say they are. DMARC will massively reduce the amount of spam you receive but it does not stop infected emails getting through. So, it is still essential that you have a good quality service in place to be protected.
How does this work for services like Gmail and other 3rd party email providers?
You will need to check with your email provider if they are using DMARC. At the time of writing both Gmail and Hotmail including outlook.com are not running DMARC but they are working on enabling this. The following site shows how many popular global email providers are either running or working towards DMARC. Click here to visit this site.
How can I be sure I won’t lose the email I do want to receive?
When setting up DMARC it is best to just start collecting data without blocking anything other than what your email filtering service picks up. Once DMARC is in place and active you will start receiving reports showing details of the activity for each email received. This will enable you to see how it is seeing the typical emails you get into your business before deciding if you want to set the policy to quarantine the emails it believes to be spam or simply block them.
How much does it cost?
There are no costs per se. You will need to setup either SPF or DKIM first then you can implement your DMARC records. In the first instance talk your IT department or managed service provider as this is something they will be able to set-up for you. If you are a BCS customer there are two options. For those that have Scheduled Visits, setting up DMARC is covered as part of that service. For those customers that don’t have scheduled visits, we would encourage you to talk to your account manager who will work with you to get it setup. In the first instance drop an email to email@example.com or call us on 01843 572600 .
Who is using DMARC?
Some of the largest companies in the world are already using DMARC and this list will continue to grow. Just a few include:
4) Go Daddy
6) Sales Force
Some of these companies are just collecting data now while others are already set to quarantine or block.
DMARC is on the increase and as more companies adopt these policies it will make the job of spammers much harder and our inboxes much clearer. The number of domains using DMARC will grow as the knowledge and awareness continue to spread.
Do you have questions about DMARC? Is this something you would like to see installed in your business? Please feel free to reach out to me to discuss either this post, or indeed anything else to do with making your IT and data secure, backed up and recoverable.
You can contact me on firstname.lastname@example.org or give me a call on 01843 572600