Email Security Blog

DMARC Adoption

Agari October 20, 2015 Opinion
Fallback Featured Image

Increased DMARC adoption and emergence of complementary standards prove DMARC is maturing.

When someone who is not an email expert first learns about email authentication a common reaction is “Wait a minute, you mean this isn’t already mandatory?!?”.  Why shouldn’t all email be authenticated everywhere? It seems like common sense.  Based on today’s announcement by, it seems that we are getting closer and closer to an authenticated email world.  Google will protect all email from it’s domain with DMARC in 2016 and next month Yahoo is expanding the DMARC protection it implemented in 2014 on email from to several additional domains.

When DMARC emerged in 2012 it had a huge impact from the beginning. Many large email sending brands implemented DMARC policies to protect their customers (think PayPal, Facebook, LinkedIn, JPMorganChase, etc).  To complete that circle of trust, the largest consumer mailbox providers in the world implemented DMARC so that the sender policies would have major impact (how about Google, Yahoo, Microsoft, AOL?).

Despite DMARC’s early success, these mail streams that the early DMARC implementations protected were largely limited to transactional messages. Valuable for certain – this stopped a lot of the most common phishing tactics!  But, if DMARC adoption stayed limited to large brands and transactional mail streams it would always be a niche technology.  To realize the vision of email authentication everywhere, DMARC had to expand it’s sphere of influence.

Why is now the right time to expand the use of DMARC? Well the other part of the announcement is around a specification complementary to DMARC being released to the technical community this week called Authenticated Received Chain (ARC).  ARC is intended to help work around some of the edge cases that have led DMARC to fail in certain situations, like forwarded email and mailing lists.  While these edge cases are small in volume relative to large transactional email streams, they are high in importance to the users that enjoy these services.  This work falls inline with the DMARC IETF working group that has been collaborating to ensure that DMARC can protect the larger email ecosystem without disrupting longstanding and valid smaller uses of email.

Where is all of this heading? What is the logical conclusion? I think it is a realization of the authenticated email world. With the world’s largest transactional mail streams already protected by DMARC and soon the world’s largest user generated mail streams joining, it won’t be long before unauthenticated email is simply ignored everywhere.  The message is now clear – If you care about your email reaching your customers, don’t wait to authenticate!

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

January 26, 2016 Patrick Peterson

How to Win the War for Talent

Every business is anxious to hire the right candidates, but whether your most urgent need…

Agari Blog Image

December 21, 2015 Nikki Tyson

Cyber Insurance in 2016 – Ensure You’re Protected

Cyber insurance is a topic that typically flies under the radar when discussing the economics…

Agari Blog Image

December 15, 2015 Agari

Don’t Let Your Customers Be Fooled By Cousin Domains

In the last five years, we’ve all become far too familiar with it – hackers…

Agari Blog Image

December 10, 2015 Agari

Email Scams to Avoid this Holiday Season

With the high volume of email activity the holiday season brings, we’ve been getting a…

Agari Blog Image

November 24, 2015 Nikki Tyson

Steve Katz, FS-ISAC Chairman: Perspectives on Phishing

Steve Katz - “Phishing and social engineering is still a global threat to every business…

mobile image