Email Marketers Need to Implement Rules That Prove They Are Real

"If an email is coming from the IRS or FEMA, you need to believe and trust that it really is from the IRS or FEMA."

Any company that’s talking to its customers via email (that is, close enough to all of them) needs to enable the anti-phishing tool DMARC, according to the Global Cyber Alliance (GCA). DMARC authenticates whether or not an email was really sent from the organization it purports to have come from. Even companies that rely on third parties to send out their emails (like ConstantContact or MailChimp) need to implement DMARC on their own server and sync that up with their third-party provider, according to GCA staff.

Companies shouldn’t rest on their laurels just because a third-party sends out their promotions.

The protocol protects against threats like domain-spoofing, where cybercriminals pretend to be an insurance company or newspaper in order to trick people into clicking on links. Because it does that, companies that have implemented DMARC are much less likely to end up in the junk folder of services like Gmail.

“The vast majority of major threats that we read about in the news and are shocking begin with fairly mundane intrusions,” Manhattan District Attorney Cyrus Vance said today as he opened a press conference by the Global Cyber Alliance about DMARC. Trespassers often get onto other people’s servers using phishing, emails that trick people into revealing more than they should.

Government and the private sector started working together on a protocol to combat phishing in 2011. It didn’t take long before large email providers started implementing it. Like so much in security, it really only works if it’s implemented on both ends. Both the sender of the email and recipient need to implement the system so that each message can be authenticated. The sender needs to put a proof on the email that it’s legitimate and the receiving server needs to be able to interpret that proof.

With big email providers like Gmail and Yahoo implementing it, it’s much harder to criminals to spoof those dmains, but that doesn’t stop them from spoofing power companies and department stores if their domains don’t provide code for the email platforms to check.

GCA staff said that 76 percent of consumers are sending and receiving their email on servers that have implemented the protocol, so “we now need the other side, the businesses, the governments,” said GCA’s Shehzad Mirza.

These companies stand to benefit, too. Email security firm Agari studied the topic and found that domain authentication saves firms money on customer support (because they aren’t getting calls about emails they didn’t actually send), increases the return on promotional emails (because fewer go in the junk folder) and the price of their cybersecurity insurance drops.

Gary Mazet from the Marsh & McLennan Companies called email “the enabler of commerce.” Alphabet’s G Suite has a guide for its enterprise customers to get set up with DMARC.

Government has begun moving to do its part.

“What I really like about DMARC is it’s not that complicated,” the Department of Homeland Security’s Jeanette Manfra said at the press conference. DHS has the authority to direct the civilian government to implement security practices. Today, it will issue a binding operational directive that agency’s under its authority implement DMARC. In roughly 16 months, it should be fully implemented at the highest level across the federal government.

(DHS will also be directing government websites to implement HTTPS, which encrypts the connections between readers and publishers online)

“If an email is coming from the IRS or FEMA, you need to believe and trust that it really is from the IRS or FEMA,” Manfra said.


Email Marketers Need to Implement Rules That Prove They Are Real