There’s been a huge uptick in DMARC adoption. But where does DMARC go from here? Is it still going to be necessary in a future where more businesses reach the recommended enforcement policy? How many are already there?
Recently, I co-hosted a webinar with Kieran Frost, COO of Sendmarc, where we tackled these questions head-on. Let’s dive into the current state of DMARC and where it’s heading.
A very brief history of DMARC
I’m going to assume some knowledge of DMARC, SPF and DKIM here. For those who need a refresher, here’s an explainer. Email was never designed with built-in security, which makes it vulnerable to impersonation attacks.
It’s almost unbelievable how easy it is to spoof an email domain and use it in phishing attacks – utterly ruining the domain owner’s reputation in the process.
DMARC is the answer to that problem. It enables domain owners to decide what happens to emails that fail SPF and DKIM, and to report on all outbound emails. It’s roughly ten years old but wasn’t widely adopted. Google and Yahoo changed that completely.
The increase in DMARC adoption
Google and Yahoo announced that DMARC would become a requirement for any bulk senders – otherwise, their emails would not reach Gmail or Yahoo accounts. The definition of a bulk sender is anyone who has sent 5,000 or more emails in one day.
While that may exceed most businesses’ email activities, there are still requirements for those who send fewer. So, as well as security, DMARC suddenly started to look like a requirement for deliverability.
Email marketing platforms like Mailchimp and HubSpot began to require users to create DMARC records in order to verify their domains. Which brings me to …
What’s the current state of adoption?
There’s been a massive uptick in adoption. Here’s a quick snapshot from Sendmarc’s research. In September 2023, they looked at the top 5,000 companies in the UK. Only 25% had DMARC records, which is an alarmingly low figure.
By September 2024, 52% had DMARC records. It’s a massive increase, and says a lot about the impact of Google and Yahoo’s announcement. However, it’s not all good news.
First, nearly half of the top 5,000 still have no policy at all. Second, many of those who do are settled on a policy of p=none, where there’s no enforcement or protection. In other words, they’ve met Google and Yahoo’s criteria, but still have no protection.
These companies are at risk of domain spoofing. It’s a major security problem, and it’s one the channel can solve. This is why DMARC is such a big opportunity.
Why DMARC is still an opportunity
Let’s recap. Sendmarc’s research makes it clear that a huge number of UK businesses are unprotected. That’s either because they have no DMARC policy at all or because they’re settled at p=none with no plans to move towards enforcement.
The channel should be taking a lead on this. Brigantia launched Sendmarc for precisely this reason. In fact, we launched before Google and Yahoo announced their new policy, so our partners have been able to make the most of this opportunity and protect their clients.
What’s next for DMARC and will everybody need it?
Currently, Gmail and Yahoo will block bulk senders unless they have DMARC. So, what about businesses that will never send 5,000 emails per day? Can they ignore DMARC? All signs indicate that they can’t – even if we leave aside the fact that their domains are at risk without it.
First, we expect other email clients to follow Gmail and Yahoo’s lead. It improves their anti-spam capabilities. Other players like Microsoft have every incentive to match those capabilities.
We’re also seeing it creep into regulations and industry standards. For instance, PCI DSS (Payment Card Industry Data Security Standard) guidance will soon require protection against domain spoofing. It doesn’t explicitly refer to DMARC by name, but in practice, DMARC will be the only way of meeting that guidance.
In short, Gmail and Yahoo are most likely the tip of the iceberg. It’s highly likely to become the norm, and as standard as an SSL certificate on a website.
Beyond DMARC
What happens when a business gets to a DMARC policy of p=reject? Is that the end of the road? The short answer is no. There are other protocols that are likely to become more widespread as time passes. To name two of them:
- BIMI (Brand Indicators for Message Identification): BIMI allows brands to display their logos alongside authenticated emails. While it doesn’t provide security by itself, it does add a layer of trust for email recipients as it requires a DMARC record of at least p=quarantine.
- MTA-STS (Mail Transfer Agent Strict Transport Security): This protocol helps secure the transmission of emails by enforcing TLS encryption. Currently, MTA-STS adoption is low, but we expect it to gain traction as the focus shifts to securing all stages of email. Read more about MTA-STS here.
It’s worth mentioning that Sendmarc enables both of these protocols. This is a real advantage for MSPs. As awareness of outbound email security increases, these additional layers of protection are highly likely to become more in-demand.
What the channel needs to do now
BIMI and MTA-STS are likely to become more prominent – but first, every domain owner should be protected from spoofing. DMARC is not a flash in the pan. It’s on its way to becoming a standard for all businesses, and it’s essential for preventing impersonation attacks.
The channel’s job is to educate businesses about those threats, so we can prevent them from happening. Sendmarc is a fantastic, MSP-friendly tool for managing DMARC at scale and getting your clients to p=reject quickly and without compromising email deliverability.
For a demo, or to find out more, get in touch.
