Video: DMARC – Overview
We’ve put together a short video that is an overview of DMARC:
This video is part of a larger video series on all things DMARC.
The transcript follows:
This short video presents an overview of DMARC — the technology of Domain-based Message Authentication, Reporting and Conformance.
DMARC brings new features to the world of email, and is aimed squarely at solving a problem that has plagued email from the very beginning:
There isn’t a reliable way to tell if email is real or just a really good fake.
This problem gets email into all sorts of trouble: spam, phishing, the spread of viruses and malware. Email is used to perpetuate a lot of fraud simply because it’s difficult to tell if a piece of email is real. On the flip side, legitimate senders have to navigate some pretty complicated anti-spam filters — filters that are designed to block unwanted email — just to get their emails delivered. Doing this is a big enough problem that an entire “email deliverability” industry exists to help organizations keep their email flowing into inboxes.
Internet mail hasn’t changed much over the years simply because the basic question of “is it real?” hasn’t been easy to answer.
To solve this very real problem, DMARC’s new features make email easy to identify. It does so by creating a link between a domain and a piece of email. (A domain, by the way, is everything after the “@” sign in an email address.) All of DMARC’s features are aimed at making this link possible for all email domains on the Internet, regardless of whether or not the domain belongs to a fortune 500 company or an individual citizen.
The underlying technologies that associate a domain with a piece of email have been around for a long time, and people have tried their best in many different contexts to make the technologies useful. SPF — which is a way of publishing a list of servers that are authorized to send email on behalf of a domain — has been around since 2003. DKIM — which is a method of adding a tamper-proof domain seal to a piece of email — has roots going back to 2005.
Instead of relying on a single technology, DMARC brings consistency to how these existing technologies are configured so that when a piece of email is received, a simple check can be performed to see if the email really does come from the domain it says it comes from.
The goal is to make email easy to identify, but this isn’t very useful unless all of a domain’s email can be identified. If it’s easy to identify only some of a domain’s email, then people still have to go to great lengths to figure out if the remaining parts are real or if they just look real but are in fact phishing emails that end up causing a lot of grief.
To make it so that all of a domain’s email can be made easily identifiable, DMARC gives domain owners visibility into how their Domains are being used on the Internet. This visibility comes in the form of feedback reports that are generated by organizations that process incoming mail. The reports are sent to domain owners when they ask for them. By analyzing these reports, domain owners can identify all of their sources of email, which makes it possible to deploy the underlying technologies across all legitimate email streams. Without these reports, a domain owner would have to somehow audit their organization to figure out who all is sending email — a task that is time consuming and almost guaranteed to be incomplete. With these reports a domain owner can get the work done quickly and accurately.
To tie this all together, when a Domain owner is confident that they’ve made all of their legitimate email easy to identify, they can tell the world to block the fake stuff. Today, DMARC is used to block a lot of fake email, which is a very good thing.
However, even though blocking fake email is great, the visibility that DMARC provides to Domain owners is useful in itself. People use DMARC to see if their domains are being abused on the Internet. Organizations use DMARC to understand how they and their partners are sending email using their domains, and also if everyone is sending email correctly. Doing this turns DMARC into a compliance tool that organizations use to make sure they’re doing everything they can to reduce the risk of fraud to themselves and their customers and also to make sure that any liability in terms of adhering to best practices to protect users and assets is reduced.
Arguably the best thing that DMARC is doing for email is to change email from a “lets keep the bad stuff out” model to a “lets build on our ability to identify real email.” Receivers of email are radically simplifying how they process email, even to the point of requiring DMARC compliant email if you’re trying deliver a lot of email.. and this is a pretty big deal to any organization that relies on email for its day to day business.
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
You can get in touch with us or register for a free trial where our onboarding and support team will help you along the way.