Increased DMARC adoption and emergence of complementary standards prove DMARC is maturing.
When someone who is not an email expert first learns about email authentication a common reaction is “Wait a minute, you mean this isn’t already mandatory?!?”. Why shouldn’t all email be authenticated everywhere? It seems like common sense. Based on today’s announcement by DMARC.org, it seems that we are getting closer and closer to an authenticated email world. Google will protect all email from it’s gmail.com domain with DMARC in 2016 and next month Yahoo is expanding the DMARC protection it implemented in 2014 on email from yahoo.com to several additional domains.
When DMARC emerged in 2012 it had a huge impact from the beginning. Many large email sending brands implemented DMARC policies to protect their customers (think PayPal, Facebook, LinkedIn, JPMorganChase, etc). To complete that circle of trust, the largest consumer mailbox providers in the world implemented DMARC so that the sender policies would have major impact (how about Google, Yahoo, Microsoft, AOL?).
Despite DMARC’s early success, these mail streams that the early DMARC implementations protected were largely limited to transactional messages. Valuable for certain – this stopped a lot of the most common phishing tactics! But, if DMARC adoption stayed limited to large brands and transactional mail streams it would always be a niche technology. To realize the vision of email authentication everywhere, DMARC had to expand it’s sphere of influence.
Why is now the right time to expand the use of DMARC? Well the other part of the DMARC.org announcement is around a specification complementary to DMARC being released to the technical community this week called Authenticated Received Chain (ARC). ARC is intended to help work around some of the edge cases that have led DMARC to fail in certain situations, like forwarded email and mailing lists. While these edge cases are small in volume relative to large transactional email streams, they are high in importance to the users that enjoy these services. This work falls inline with the DMARC IETF working group that has been collaborating to ensure that DMARC can protect the larger email ecosystem without disrupting longstanding and valid smaller uses of email.
Where is all of this heading? What is the logical conclusion? I think it is a realization of the authenticated email world. With the world’s largest transactional mail streams already protected by DMARC and soon the world’s largest user generated mail streams joining, it won’t be long before unauthenticated email is simply ignored everywhere. The message is now clear – If you care about your email reaching your customers, don’t wait to authenticate!