DMARC and your Financial Institution Email

Return Path, the world’s leader in email certification and scoring, has recently announced the introduction of the DMARC specification (Domain-based Message Authentication, Reporting & Conformation) – created in conjunction with a group of email senders, ISPs, and security vendors. Essentially, it is a registry that uses existing best-practice email authentication protocols, SPF and DKIM (Domain Key Identified Mail), and allows a sender to declare that all email sent from their domain will contain both SPF and DKIM authentication — and anything otherwise should be blocked.

Why is this so important? Financial Institutions are among the most phished brands. While participation in the registry would require a bit of work to ensure all outbound email from all sources contains both SPF and DKIM authentications, it would go a long way to protecting your institution to the fullest extent possible at this time.

However, as this is still emerging, not all ISP’s /webmail providers ‘subscribe’ to this registry – currently it appears to be Google leading the pack. If enabled, this would allow both Google to (and future adoptees of the registry) to rightfully block any email sent from your domain that was not properly authenticated… meaning any of your customers with email addresses at Gmail (and others in the future) could be confident that emails from you are legitimate. And although, 100% participation from all ISP’s may be too idealistic, proper authentication from all traffic sources can only help the cause.

ClickRSVP has, and continues, to recommend our clients implement both SPF and DKIM authentication protocols as an industry best-practice and many of our clients have done just that for the email originating from our servers. Participation in DMARC would be going a step further to ensure all outbound email traffic from all sources (beyond just marketing, this includes all institution email whether originating from a vendor or in-house) also contains both of these authentication protocols.

Imagine if you could someday give your customers the peace of mind that all email they receive from your domain is legitimate – a goal we certainly hope to see all stakeholders in email delivery and anti-phishing working towards.

For more reading on DMARC, please click here.
And for the official DMARC website, please click here.