What is DMARC? – A Bit of History

DMARC is an acronym for Domain-based Message, Authentication, Reporting, and Conformance. But what is DMARC in practical terms?

It’s an open email authentication protocol that protects your company’s email domain from  email spoofing and fraud. 

Implementing DMARC keeps your domain safe from cyberattacks like Business Email Compromise, phishing, and other email scams. 

The Domain-based Message, Authentication, Reporting and Conformance protocol works alongside SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) email protocols. 

DMARC consists of two parts: Reporting and Conformance. Domain owners can monitor the authentication of their emails. At the same time, DMARC indicates what ISPs should do with unauthenticated emails. 

What does DMARC do? Well, this protocol allows organizations to monitor and control who can send emails on behalf of their domain. As a business owner, you want to know that your clients only get legitimate emails from you. That’s why every organization needs to implement a DMARC policy

When you use DMARC email security, you can tell recipients your emails are protected by SPF and DKIM and inform them what to do if any authentication processes fail. 

In a  DMARC record example, you’ll see three policies:: None, reject, and quarantine. 

While knowing how DMARC works is vital, in this article, we’ll dive a bit into the history of DMARC—how it began and its adoption process.

 

The Basis of DMARC: SPF and DKIM

DMARC was built to extend two existing email authentication protocols – SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail). DMARC uses these protocols to determine the authenticity of a message. 

The efforts to provide adequate email protection have a long history. It started with S/MIME (Secure/Multipurpose Internet Mail Extension) encryption and the popular digital signature standard during the 90s. 

In the early 2000s, new email authentication standards were developed. Among these standards, SPF and DKIM solved related email security issues. Let’s briefly discuss them.

SPF

SPF or Sender Policy Framework is one of the first email authentication protocols introduced in the early 2000s. The idea came up when email experts realized that the SMTP (Simple Mail Transfer Protocol) couldn’t protect users from email spoofing, so a need arose for a security mechanism. 

SPF was initially called Sender Permitted Form or SMTP+SPF. The name was changed to Sender Policy Framework and published by the IETF as a proposed standard in 2014. 

It’s an authentication method used to prevent email attacks like phishing and enhance domain reputation. The standard enables email servers to verify and authenticate the IP addresses of incoming messages. 

Still, SPF has its shortcomings. For example, forwarded messages fail authentication, SPF records are tricky to maintain, and hackers can still exploit the Return-Path/mailfrom as most people don’t check it. 

SPF on its own isn’t enough to secure your email domain. That’s why knowing how to add a DMARC record in DNS and implementing a DMARC policy is vital.

DKIM

DMIK or DomainKeys Identified Mail was created in 2014 as a combination of two existing email standards. The first standard is the Enhanced DomainKey developed by Yahoo! to confirm the integrity of an email message by authenticating the source DNS domain. 

The second standard is the Identified Internet Email, designed by Cisco, which authenticates the integrity of outgoing email using digital signatures. 

Initially, Gmail, Fastmail, AOL, and Yahoo! were the first to adopt this standard. Today, DKIM has experienced worldwide adoption, and it’s recommended for all email providers. 

Like SPF, DKIM helps protect your domain from unauthorized usage. The protocol ensures that emails remain unaltered while in transit between sender and receiver servers.

However, hackers can still use DKIM signatures using malicious tactics. Once again, DKIM on its own doesn’t provide sufficient email security. As such, DMARC protection is vital.

 

The Beginnings (2010-2012)

Even though SPF and DKIM provide a level of email security, they can’t offer a complete solution to email authentication. This led to the development of Domain-based Message Authentication, Reporting and Conformance. 

DMARC’s journey started in 2010 when fifteen leading organizations, including PayPal, Microsoft, Google, and Yahoo, came together to build a protocol to guard against fraudulent emails on the internet. 

One of the objectives of the collaboration was to ensure email receivers can provide sending servers with authenticated feedback regarding their messages to improve their authentication mechanism. The first publication of the DMARC specification came out on January 30th, 2012.

 

The Slow Adoption (2012-2017)

Though DMARC protection was created in 2010, it became an initiative in 2015 under the Trusted Domain Project. The adoption rate of the DMARC protocol was incredibly slow. Many organizations are still not aware of the DMARC protocol and its benefits. 

One of the reasons why DMARC has a slow adoption rate is its technicality. Understanding email authentication requires a degree of technical knowledge, and it’s not something organizations or marketers can implement on their own. 

At least, that’s how it used to be. With solutions like EasyDMARC, implementing everything from DMARC records and policies to DMARC tags and reporting is easy.

But during the early days of DMARC, small organizations lacked the experience to implement SPF and DKIM. Of course, you need these two standards before you can effectively install DMARC in your DNS. 

In 2015 and 2016,  Google and Yahoo! adopted strict DMARC policies, noting that people who refuse to follow the DMARC trend would have their business suffer for it in the near future.

 

DMARC Today and Beyond (2018-to date)

The DMARC usage statistics show that DMARC is rapidly rising, and many organizations are adopting this authentication standard to prevent email spoofing. In 2018, the Department of Homeland Security (DHS) mandated every federal agency to implement the use of DMARC, which positively impacted the adoption rate. 

In December 2018, the DMARC adoption rate among federal government agencies increased to 47%. During this time, the DHS only directe agencies to implement DMARC at the p=none level, which still exposes the domain to phishing and spoofing attacks. 

According to Agari, around 53% of federal organizations don’t have a DMARC policy in place. Even those who do, the majority set their p=none, which doesn’t protect their domain from spoofing. 

Valimain CEO Alexandra Garcia-Tobar said DMARC deployment is vital for businesses that operate in the United States and Europe because of their privacy laws. 

Statistics also show that domains without DMARC deployment are 4.75 times more likely to be victims of spoofing. In 2021, 43.4% of domains had enforced the DMARC policy, a 2% increase from the 2020 rate and a 3.5% increase from 2019. 

These statistics show the adoption of the DMARC protocol is increasing. DMARC has been widely accepted by several large email providers like Microsoft, Google, and Yahoo!, catering for more than 85% of user inboxes globally.

Today, the DMARC protocol is recognized among email marketers as an integral aspect of deliverability. Even the M3AAWG recommends enforcing DMARC as an email deliverability best practice. A DMARC policy provides email authentication, which will be vital in the future. 

Sooner or later, email providers will move to the “No Auth, No Entry” policy. This means your message will not be delivered if it doesn’t satisfy DMARC requirements. 

So if you want your message to get to your clients’ inboxes, you need to enforce a DMARC policy in your domain. While this is not happening just yet, it’s around the corner as the adoption of DMARC continues to increase globally.

 

Final Thoughts

It’s no news that some dangerous cyberattacks, such as BEC and phishing, are delivered via email. So organizations need to implement DMARC to mitigate the impact of cybercrimes, including phishing, spoofing, brand abuse, and malware attacks.

However, most businesses find it challenging to enforce DMARC policy. While this might seem like a daunting task, it’s attainable. If you don’t know the status of your DMARC record, you can perform a DMARC record lookup using our DMARC record generator

With EasyDMARC’s all-in-one solution, you can protect your email domain and successfully monitor every area of your email authentication, enforcing robust and effective protection against phishing, spoofing, and other email attacks.

SPF Record Syntax: Structure and Components

SPF Record Syntax: Structure and Components

Understanding what SPF is and bringing it into use is important for technology-driven businesses...

Read More
What is a DKIM Record?

What is a DKIM Record?

What is a DKIM record? That's a question we see everywhere these days. Emails...

Read More
What is an SPF Record?

What is an SPF Record?

What if you realize a threat actor is misusing your domain name to send...

Read More