PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

DMARC: An End to Spam and Phishing... Again

Neil J. Rubenking
 & Neil J. Rubenking Principal Writer, Security

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

DMARC Industry Liaisons
The big problem with email is a total lack of accountability. Nothing in the specification for standard SMTP email traffic requires accurate identification of the sender. Spammers can use bots to spew unwanted bulk mail with a false sender address. Email viruses can spoof the sender address to avoid detection. Phishing sites appear and disappear quickly, with no audit trail leading back to the sender of phishing messages. The DMARC (Domain-based Message Authentication, Reporting & Conformance) specification aims to restore accountability to email and thus cut through the spam and fraud. And yet… we've heard this tale before.

Sender Policy Framework

SPF (Sender Policy Framework) lets the owner of a domain specify which servers can legitimately send mail from that domain. Receivers supporting SPF can simply reject any messages from unauthorized servers. An SPF-protected domain should be less attractive to spammers, since their messages can be easily and automatically blocked. For SPF to succeed, senders must implement its policy and receivers must reject unauthorized mail. SPF is roughly five years old.

DomainKeys Identified Mail

DKIM (DomainKeys Identified Mail) is a mashup of two earlier proposals, DomainKeys and Identified Internet Mail. It uses a digital signature to verify that an email message really did come from the domain stated in the sender address. The recipient validates the message using the signer's public key. The DomainKeys proposal is almost eight years old; the merged DKIM about five years old.

Recommended by Our Editors

Wikipedia Editors Could Strike Following Layoffs
Wikipedia Editors Could Strike Following Layoffs
Blue Origin’s New Glenn Rocket Explodes Spectacularly During Ground Test
Blue Origin’s New Glenn Rocket Explodes Spectacularly During Ground Test
Google Engineer Charged for Using Insider Info to Win $1.2M on Polymarket Bets
Google Engineer Charged for Using Insider Info to Win $1.2M on Polymarket Bets

Where's the Relief?

These proposed solutions have been around for a number of years, but spam and phishing activities are still going strong. Perhaps DMARC can succeed where previous efforts have not? As the image below shows, quite a few major players have signed on (click for a larger view).

DMARC Contributors

Here's the catch. DMARC isn't a new standard for sender verification. Rather, it "standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms." It's possible that all SPF and DKIM needed for spam-killing success was wider adoption. If that's the case, DMARC could save the day. Certainly adding sender verification to all AOL, Gmail, Hotmail, and Yahoo! mail couldn't hurt.

You can view the full specification and learn more at DMARC.org. And if you find the level of spam and phishing emails in your Inbox dropping precipitously, you'll know who to thank.

About Our Expert

Neil J. Rubenking

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio