Use email headers to verify email authenticity and the future of DMARC


When someone receives an email and opens it, they see the part of the message that most people care about.

In addition to the message content (body), recipients typically see some header fields that convey basic information about the origin and subject of the message, such as From :, To :, Subject :, Date: .

These headers are only a small part of the headers that are part of the message.

How you display hidden headers depends on your email provider. In Gmail, click the three dots in the upper right corner of the message, then[オリジナルを表示]Click to go to the email header.

Other providers may select a menu such as “Show message source” or a word to that effect.

If you see a lot of text containing lines that start with words like “Authentication Results:” such as “Received:” and “Return Path:”, you know you’ve found the right place. “It will be as follows.

(Image credit: Varimail)

Email authentication protocols such as SPF, DKIM, and DMARC are used to establish the identity of the person responsible for a particular message. The mailbox provider records the result of the authentication check performed on the message in this header. Here you can see that this message received all three “pass” verdicts.

The mailbox provider uses the information saved in this header and other information that it knows about the responsible person to determine where to put this message in the recipient’s mailbox.

As a user, it’s a good idea to look at this header if you want to know where the message came from. Note that a decision to fail here may increase the likelihood that the message will be placed in the user’s spam folder, but the decision to succeed does not guarantee placement in the Inbox. Please give me.

These protocols ensure that the identity of the responsible person is established. If these parties are known to be senders of spam to the mailbox provider, it makes it easier for the mailbox provider to put the message in spam.

Senders trying to stop the one-button authentication method can also take advantage of the “Authentication-Results” header, but this is not the best tool to do so.

For small senders using a server and an IP address, the iterative cycle “send message, check, adjust, and repeat Auth-Results header” is an approach (albeit cumbersome). However, when sending on any volume, the “Authentication-Results” header is just a grain of sand in the range of emails sent by domain owners.

For them, DMARC summary reports allow domain owners to focus on the entire email program, rather than focusing too much on the details of emails sent to a mailbox. from a supplier. It’s a much better tool because you can.


Senders can receive a DMARC aggregate report that aggregates credential data from all emails sent using the domain.

The sender can also request a processing class for messages that fail to authenticate. However, the application is an important part of DMARC and at this time 13% of DMARC users are active.. Without this, the recipient will not receive instructions on how to handle messages that fail to authenticate. This means that spoofed emails can reach your inbox.

For recipients, DMARC matches the authentication results of SPF and DKIM to what the user sees in the From field of the email.

As the adoption of DMARC progresses, domain owners can be confident that only authorized senders are using the domain, and end users can see messages in their inbox “without digging deeper into them. – e-mail headers. You can be sure it is from someone saying you are the “sender”. But we are still a long way from achieving optimal protection.

Where is DMARC going?

NOT. DMARC standard Released in 2012, early 2020, DMARC record released Almost over a million. This is an increase of 70% from 2019 and 180% from 2018.

Publishing a DMARC record is not enough to protect your domain from identity theft. Yet out of nearly a million organizational domains that use DMARC 13% in force It really protects your domain against identity theft and malicious individuals.

Today, DMARC is the standard used by 80% of the world’s inbox Interest in DMARC continues to grow, but expertise is not keeping pace.

And after?

Bridging the gap between published documents and law enforcement

DMARC contains tedious intricacies that are difficult for most businesses to implement. In addition, it is based on two other standards, SPF and DKIM. These are difficult to implement and prone to errors.

There will be a change to more direct information on the technical aspects of DMARC. Already free tool It exists to overcome the complex early stages of a DMARC initiative which typically requires manual analysis of XML reports.

Providing domain owners with access to DMARC visibility without the overhead is just the first step in making DMARC implementation accessible to everyone.

No authentication, no entry?

The question that comes to mind for many: is there a need for DMARC? In January 2018, the Department of Homeland Security told federal agencies CA 18-01 It is a directive, but the government’s obligations to other industries are unlikely.

However, you may have heard the term “no authentication, no entry”. No Authentication, No Entry refers to the future in which one or more mail providers may choose to enforce a policy that rejects unauthenticated mail. No promises yet, but domain owners can still reap Benefits of DMARC Now get ready if it pays off.

Leverage DMARC as a cornerstone of future messaging capabilities

DMARC opens the door to other security standards and specifications that benefit all teams, from IT to marketing. An example is Brand Index for Message Identification (BIMI)A new messaging specification that allows you to display your brand logo in your support email client. Qualify for BIMI (and 10% increase in email engagement (Attached), the company’s DMARC policy must be applied.

Forrester Believes Typical Large Businesses Can Save Money $ 2.4 million Annually using the DMARC policy at the time of application. Organizations need DMARC for email security, corporate reputation, customer protection, customer engagement, and cost savings. DMARC has not gone away and will be a priority in the years to come.

Source link Use email headers to verify email authenticity and the future of DMARC

Source link


Leave A Reply