Attention, criminals: DMARC will not get your spam delivered

Time to set the record straight on email authentication: DMARC won't get spam into the inbox, says Rob Holmes

Attention, criminals: DMARC will not get your spam delivered
Attention, criminals: DMARC will not get your spam delivered

Tokyo-based IT security company Trend Micro published a blog post in February entitled, TorrentLocker ransomware uses email authentication to refine spam runs.” The article points to recent use of the DMARC standard by ransomware distributors, presumably to discover which ISPs are blocking mail and which aren't, and to make sending decisions based on those findings. In fact, our friends at Trend Micro make an excellent point. DMARC does indeed give those who implement the standard deep insight into their email operations.

However, the post's author, Jon Oliver, was quoted in SC Magazine in March stating, “DMARC sometimes gives a ‘positive score' to emails that are ‘authenticated,' thus increasing the chances of spam being successfully delivered.” To imply that DMARC in isolation somehow factors into inbox placement is to ignore what mailbox providers have indicated explicitly in their own publications.

What DMARC does

Domain-based Message Authentication Reporting and Conformance (DMARC) is the next evolution in email security protocol. Born of the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) standards, DMARC is designed to give senders greater visibility into their mail streams, allowing them to prevent unknown senders from spoofing their domains.

Put simply, DMARC gives brands, ISPs, and vendors like Return Path the ability to tell whether or not senders are who they say they are. Once identification is established, parties can assign a certain reputation to the sender. If authentication passes, but the sender's reputation is deemed bad (eg, the sending address is a known spammer), the sender's messages can be blocked outright. Visibility. Classification. Governance. Easy as that.

What DMARC does not do

Senders need look no further than Google's own Gmail support site to find answers about whether or not email authentication ensures inbox placement. While Google states that authentication is, “highly recommended,” it warns:

Authentication by itself is not enough to guarantee your messages can be delivered, as spammers can also authenticate mail. Gmail combines user reports and other signals, with authentication information, when classifying messages.

There you have it. Yes, authentication information is used as a part of the algorithm for determining classification of messages, but implementing DMARC will not get senders (in this case, spammers) into the inbox. This is not only true at Gmail, but at other major ISPs/Mailbox Providers as well.

DMARC adoption no longer an option

As a founding developer of the protocol, Return Path stands firmly with the team at DMARC.org, which published a post last week imploring cyber-criminals to go ahead and adopt DMARC. Our own research shows that just 22 percent of major global companies have adopted the standard, largely due to basic lack of awareness. Therefore, if hackers, crackers, spammers, and phishers wish to help promote the standard, more power to them.

It is worth noting that we don't think Trend Micro means to disrupt the DMARC market by instilling fear or making it seem like DMARC is a tool to be harnessed for nefarious purposes. If anything, the fact that spammers are becoming more sophisticated in their attempts to fill inboxes with unwanted mail should be a clarion call for ISPs of all shapes and sizes to quickly adopt DMARC and put an end to domain spoofing once and for all.

Rob Holmes, general manager, Return Path

Sign up to our newsletters