DMARC.org Domain-based Message Authentication, Reporting & Conformance

DMARC - What is it?

DMARC, which stands for "Domain-based Message Authentication, Reporting & Conformance", is a technical specification created by a group of organizations that want to help reduce the potential for email-based abuse by solving a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols.

DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC. We hope this will encourage senders to more broadly authenticate their outbound email which can make email a more reliable way to communicate.

Why is DMARC Important?

With the rise of the social internet and the ubiquity of e-commerce, spammers and phishers have a tremendous financial incentive to compromise user accounts, enabling theft of passwords, bank accounts, credit cards, and more. Email is easy to spoof and criminals have found spoofing to be a proven way to exploit user trust of well-known brands. Simply inserting the logo of a well known brand into an email gives it instant legitimacy with many users.

Users can't tell a real message from a fake one, and large mailbox providers have to make very difficult (and frequently incorrect) choices about which messages to deliver and which ones might harm users. Senders remain largely unaware of problems with their authentication practices because there's no scalable way for them to indicate they want feedback and where it should be sent. Those attempting new SPF and DKIM deployment proceed very slowly and cautiously because the lack of feedback also means they have no good way to monitor progress and debug problems.

DMARC addresses these issues, helping email senders and receivers work together to better secure emails, protecting users and brands from painfully costly abuse.

How Does DMARC Work?

A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes - such as junk or reject the message. DMARC removes guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.

Who Can Use DMARC?

DMARC policies are published in the public Domain Name System (DNS), and available to everyone. Because the specification is available with no licensing or similar restriction, any interested party is free to implement it.

Status of DMARC

April 2, 2014: The DMARC specification has been submitted as an Informational Document to the RFC Independent Submissions Editor (ISE). Link to DMARC Specification.

DMARC was developed by the organizations listed below over the course of several years. The specification was publicly announced on January 30th, 2012 and was immediately available for download from the DMARC.org website. A mailing list for anybody interested in reviewing or discussing the specification was announced and started seeing traffic the same day. Discussions on the list have provided a great deal of feedback on and input to the specification.

After seeing dramatic adoption, DMARC was submitted to the IETF for standardization on March 31, 2013. That summer a BoF was held at IETF-87 (announcement, agenda and minutes) in Berlin to discuss chartering a working group to develop extensions and supporting documents like the Using DMARC best common practices (BCP) document.

While there was enthusiasm around the proposed working group, there was also a strong sentiment among some respondents that either A) the specification was complete enough that there was nothing to warrant an IETF working group, or B) that the entire specification should be reconsidered from scratch, which would leave implementors and deployers in an uncertain situation for as long as several years, based on the pace of work on similar standards in the past.

After a great deal of deliberation and exploring all options, the specification was switched to the Independent Submissions track effective April 2, 2014. The result will not be an IETF Internet Standard as originally envisioned by the DMARC.org member organizations. However it will provide a fixed reference document that can provide the basis for development on the Standards track at a later date.

As of early 2013 DMARC had been deployed to protect roughly 2 billion email accounts - over 60% of consumer mailboxes globally, and over 80% of consumer mailboxes in the United States.

Contributors Include:
Agari American Greetings AOL Bank of America Cloudmark Comcast Facebook Fidelity Investments Google LinkedIn Microsoft PayPal Return Path Trusted Domain Project Yahoo! JP Morgan Chase & Co. NetEase - 163.com

 

Industry Liaisons:
BITS MAAWG OTA
Highlights
Current Specification:

10/29/2014 DMARC Base Specification (Rev -05)

News:

8/18/2014 IETF DMARC working group kick-off announcement

8/11/2014 IETF forms DMARC working group

2/18/2014 Prominent Brands Cut Email Abuse by More than 50% with DMARC

Events:

11/9-14/2014 IETF 91 (DMARC BoF expected)

2/16-19/2015 33rd MAAWG General Meeting, w/ DMARC & email auth sessions

 
 
By the Numbers
  • Nearly 2 billion email accounts worldwide are protected by DMARC.
  • Greater than 80% of typical US users are protected by DMARC.
  • Over 80,000 active domains have deployed DMARC.
  • Return Path reports a 130% increase in clients and domains publishing DMARC records.
  • More than 25 million email messages spoofing PayPal were rejected during the 2013 holiday buying season.
  • During the first 45 days of initial monitoring, Twitter saw nearly 2.5 billion messages spoofing its domains.
  • Twitter reports ~110 million messages/day were spoofing its domains prior to deploying DMARC, reduced to only 1,000/day after publishing a "reject" policy.
  • Outlook.com reports a 50% drop in reported phishing in 2013, in part due to DMARC.
  • Publishers Clearing House reports they used DMARC to block over 100,000 unauthenticated messages in a single 90 day period during 2013.