DMARC -- rebuilding trust in email [Q&A]
Email has become the default means of communication for both businesses and individuals, but as we saw yesterday it isn't without its problems.
A major issue email has is that of security, cyber criminals are getting better at creating phishing and other messages that accurately spoof commercial organizations. But there is a technology in the form of Domain-based Message Authentication, Reporting and Conformance (DMARC) which has the potential to restore faith in email communication.
We spoke to Patrick Peterson, founder and executive chairman of email trust specialist Agari, to find out more.
BN: How did DMARC come about?
PP: For a long time it seemed like we would work for years to create amazing technology and the bad guys would simply replace their knife with a sword or their sword with a bow and arrow or their arrow with a gun. One of the areas that was most frustrating is that we would talk to organizations and they would say there was nothing they could do to protect their consumers. There was no way to stop people getting emails that claimed to be from their government, their bank, a social media site, or whatever.
Luckily there are some industry heavyweights, in particular PayPal, Bank of America, Google, Microsoft and Yahoo! who felt the same way. They have been fighting these problems and dealing with these issues, so from 2007 to 2012 when we announced the DMARC standard we spent our time coming up with a way to make email safe by controlling how a domain name gets used. Thus making email more trustworthy and taking away one of the most valuable weapons the bad guys have.
BN: How successful has it been?
PP: There were many potholes in the road and bridges washed away that we had to find a means to cross. But at the end of the day we have an open standard that anyone on the planet can use and adopt royalty free. We have some big organizations, Barclays for example, who have been using DMARC very successfully to drive down business risk, make communications more trustworthy and turn the tables on the phishers.
It's a good example of how the industry can come together to craft new technology and over time and with persistence really change how the internet functions in a way that’s universally good for everyone.
BN: DMARC has been around for quite a while now, why is adoption still relatively low?
PP: First, when we're measuring major companies in the US and UK we're talking about large organizations and I think the reality is that they don't do anything quickly. They're big and complicated and they have huge legacy deployments, so it's difficult to get them to change what they do.
The second reason we've seen slow adoption is education. I still find even five years on I speak to people and they say, "I've heard of it, I attended a webinar two years ago, but can you explain it to me again?" Any new technology, especially if it's different to what has come before requires education over and over again and we’re still in the early stages of this with DMARC.
A third reason is that DMARC is so different. Everyone is used to buying something for their IT shop, a way to manage vulnerabilities, a new firewall, a new desktop anti-virus, they know and understand these things. DMARC and what Agari is doing is completely different -- there's no box, no software, all the data is coming from three million mailboxes. So although it's transformative it's so different that it’s harder for people to understand.
BN: Are consumers beginning to lose trust in email?
PP: Sadly yes. Every customer we've had finds that the number of incidents they report goes down, their litigation risk goes down, but the number one factor they always have is more use of email, which shows greater trust. If consumers can trust emails from brands it changes the way they interact digitally with them. We need to move back to a society where we’re focussed on doing digital business and not be petrified of digital deception.
BN: Is there a need for education on the consumer side too?
PP: To make real progress on the consumer side we have to look at all of the things like think before you click, look at the URL you're going to, look for the padlock in the browser. There have been some good messages especially from governments. The challenge is although you can apply all these things how do you really know if it’s safe or not? Sophisticated criminals can make that difficult so you’re not sure even after applying all of the tests.
With DMARC we want people to be able to trust email in the same way that when you get in your car you trust that the safety systems like seatbelts and airbags and anti-lock brakes will work to protect you even though you may not understand the detail of how they operate. Future developments will see emails arrive in your inbox with the logo of a bank or a government agency so you know it’s from a trusted source.
BN: Will consumer pressure bring about more widespread adoption?
PP: There's an argument going on in the US at the moment where people are beginning to ask why the government in particular isn't using more secure communication methods. Contrast that to the UK where the government has taken a strong leadership position and made clear that it owes it to its citizens to keep them safe. As we make digital services available we owe it to citizens that they can trust those services.
BN: How far away do you think we are from a tipping point for DMARC adoption?
PP: I would say if you look at that tipping point being 50 percent, we’re about 18 to 24 months away. That’s pretty bullish but you can see the dialog starting to change. In the early days it was, "What is this? This sounds like magic?" What you see now is people realizing that their industry peers have adopted it and that consumers are asking questions about doing business online. They're starting to see that it’s incumbent on organizations to ensure safe communication and protect their consumers. This will lead to organizations that don't adopt being called out by consumer groups, watchdogs and government regulators for not putting in basic controls.