DMARC is extremely useful, yet I’ve heard some vendors are putting their implementations on hold because of the IETF DMARC working group. You really shouldn’t wait though — it’s been in wide use for nearly three years, enterprises are looking at DMARC for B2B traffic, and the working group charter is limited in it’s scope for changes.
Let’s compare this to a similar situation in the past. When I was on a panel at the INBOX Conference in 2006, I told the audience — which included email appliance makers, software vendors, and email service providers (ESPs) — that they should already be offering SPF and be preparing to support DKIM, which would be finalized Real Soon Now (in fact it took another year). But I did not tell them they should be implementing DomainKeys…
DomainKeys had been announced two years earlier and was an effective technology, but it was not widely deployed — a number of senders were using it, but few mailbox providers or companies were using it to filter inbound messages. Meanwhile the IETF DKIM working group was creating something different from and incompatible with DomainKeys. So the decision to wait for the DKIM working group to finish was reasonable.
Today, the circumstances around DMARC are very different. DMARC has been filtering the email sent to over 80% of consumer mailboxes in the US alone for almost three years now, and over 80,000 active domains have published DMARC records. It’s already popular with saavy email senders and domain owners for the light it sheds on where email using their domains is coming from. And just as enterprises became enthiastic users of TLS for B2B email, DMARC is being evaluated as an additional protection for sensitive B2B email channels.
The IETF DMARC working group is chartered to fix some important interoperability issues with forwarded email, mailing lists, and other “indirect” mailflows. However the working group is not chartered to make major changes to the protocol, the way the DKIM working group was — maintaining interoperability with existing implementations is a key objective.
Several vendors and services have already integrated DMARC filtering into their products (list at dmarc.org), and you can bet more have it in the pipeline. So if you’re planning the next release of your email appliance, MTA, or related software, you should make sure you’ve got DMARC support in the works too.
Note: This essay was first posted on CircleID.com