Fighting phishing with DMARC

DMARC: Monitor & secure your email delivery

A few weeks ago we extended a special offer to every Postmark customer: 100K Postmark credits for setting up DMARC on a domain they’ve setup on Postmark. Your response has been, in a word, remarkable. Over 500 customers have created a custom return-path and setup DMARC, and we’ve handed out over 50 MILLION email credits to them all.

This offer runs through the end of the year, so you still have time to claim your credits if you haven’t already. If you’re a Postmark customer, or have been thinking about using Postmark, don’t miss out!

Why have we created an incredible DMARC guide and given away these credits to promote DMARC? Because email security matters to all of us, and DMARC is an important piece of the puzzle when it comes to modern email security.

Email is driven by activity from senders and was built in a time when most people on the ARPANET where on a first name basis. This system of trust made it easier for email to take off as a protocol, but also enabled the wild, wild west of SPAM when people figured out you could abuse the system. Since then, email security has evolved and adapted to trends in unwanted email as they emerged.

Why are SPAM and phishing still a thing? #

The best way to understand email scams is to think of the goal for each of type of campaign. These scammers aren’t in it for the lulz. They want to make money.

Some of them push fake watches and cheap pharmaceuticals. When you see these pile up in your SPAM filter, you probably wonder how the people sending it make any money. It’s a complicated web to untangle, but researchers have done studies comparing the cost of legitimate advertising and SPAM. They found people sending SPAM can break even with one conversion for every 1.6 million emails.Justin Rao and David Reiley provided this chart in their paper about the economics of SPAM:

Breakdown of the spam supply chain

Sending SPAM is cheap! It only takes a handful of conversions to make these campaigns insanely profitable for people with no scruples.

Phishing is a little different, because the goal isn’t to sell anything. Instead, the scammers want to trick people into providing their login credentials or other personal information from one of their online accounts. There are two types of accounts scammers normally target, financial and email accounts. Historically, phishing campaigns worked like other types of SPAM, hitting a big target audience with an email constructed to look like it came from their bank or PayPal. The quality varies from campaign to campaign, with the best work faithfully mimicking the branding of global brands to dupe unsuspecting people.

One of the most successful tricks in the playbook for phishers has been to spoof the domain of the company their targeting. You’ve probably seen it in your spam folder, an email saying it’s from a bank’s domain but the content points somewhere else entirely. As a savvy user, you won’t fall for these techniques.

But your customers might.

Protecting your business and your customers with DMARC #

Earlier in this post, I mentioned DMARC is a piece of the email security puzzle. It fits in with two other protocols, SPF and DKIM, to give domain owners and businesses greater control over where emails originate. It does this by giving email servers instructions on how to handle fake messages when they are received.

Not every email provider uses DMARC to manage incoming messages, but setting it up alongside DKIM and SPF gives you greater control over your customers email experience. It maintains the sender-driven nature of email and helps ISPs and email security companies know you’re on top of email coming from your domain.

Even if you don’t use Postmark, DMARC is something you should setup for your product. You can get a weekly report with email activity from your domain, and our team built a DMARC tool that turns this XML reports into a friendly report you can scan quickly. If you’re not quite sure how to get started with DMARC, don’t miss our guide with all the specifics you’ll need to get started with DMARC for your domain.

And if making sure every email hits your customers inbox fast, sign up for Postmark and setup DMARC before the end of the year. We’ve got 100K credits for you burning a hole in our pocket.