How do Email Headers help verify an email's authenticity and The Future of DMARC

1
How do Email Headers help verify an email's
authenticity and The Future of DMARC
2

• When someone receives an email, they see sections
  of the message that the majority of people are
  interested in. In addition to the message body,
  the receiver will normally see a few header
  fields, such as From To, Subject, and Date
  which transmit basic information about the email
  message's stated origin and topic.These headers
  are only a subset of the total number of headers
  in the email.
• The method for making hidden headers visible
  will differ depending on the mailbox provider. In
  Gmail, you can access the email header by
  clicking on the three dots in the upper right
  corner of a message and then Show Original.
  Other providers will have an option on a menu
  such as Show Message Source or words to that
  effect.

3

• You'll know you've arrived at the proper location
  when you notice a lot of text with lines
  beginning with phrases like Received,
  Return-Path and others including the one we're
  interested in, Authentication-Results, which
  will look like this

4

• To establish the identity of the parties
  responsible for a particular communication, email
  authentication protocols such as SPF, DKIM, and
  DMARC are employed. In this header, mailbox
  providers will record the outcomes of the
  authentication checks performed on a message, and
  we can see that this message obtained pass
  verdicts for all three.
• The mailbox provider will then utilize the
  information in this header, as well as other
  information about the responsible parties, to
  determine where to store this message in the
  recipient's inbox.
• If you're a user who's wondering why a message
  wound up where it did, you might want to look at
  this header. It is important to note that while
  fail judgments may increase the likelihood of the
  message being placed in the user's spam/junk
  folder, pass verdicts do not ensure that the
  message will be placed in the inbox.

5

• These procedures reliably confirm the identities
  of the parties involved. If such persons are
  known to the mailbox provider as senders of
  unsolicited mail, the mailbox provider's choice
  to place the message in junk is made easy.
  Senders attempting to standardize their
  authentication processes can also utilize the
  Authentication-Results header, although it is
  not their greatest tool for doing so.
• Repeated cycles of send a message, check at
  Auth-Results header, tweak, repeat are a
  technique for the tiny sender employing one
  server and one IP address (albeit a tedious one).
  The Authentication-Results header, on the other
  hand, is only a grain of sand on the beach of
  emails that a domain owner delivers.
• DMARC aggregate reports are far better tools for
  them because, rather than being unduly focused on
  the details of email to one mailbox at one
  provider, domain owners can focus on the wider
  picture of their whole email sending program.

6

• How Does DMARC Help?
• End users can obtain DMARC aggregate reports,
  which compile statistics on the authentication
  information for every email sent from their
  domain. Senders can additionally request a class
  of processing for a failed authentication
  message. 
• However, enforcement is an important component
  of DMARC, and only 13 of DMARC users are now at
  enforcement. Without it, recipients are not given
  instructions on how to handle a message that
  fails authentication, allowing counterfeit emails
  to enter the inbox. For the receiver, DMARC
  matches SPF and/or DKIM authentication results
  with what the user sees in the From field of
  their email.
• As DMARC use increases, domain owners can rest
  assured that only allowed senders are using their
  domain. End users, too, can be increasingly
  convinced that the message in their inbox is from
  who it says it is From without having to dive
  through email headers. However, we are still far
  from reaching optimal protection. 

7

• The Future of DMARC
• DMARC involves complexities that are difficult
  and time-consuming for most businesses to
  execute. Furthermore, it is dependent on two
  additional standards, SPF and DKIM, both of which
  are difficult to apply and prone to mistakes.
• We'll probably witness a trend toward more
  direct communication regarding DMARC's technical
  elements. There are already free tools available
  to help with the often-complicated first phase of
  a DMARC endeavor, which would normally need human
  XML report interpretation. Giving domain owners
  DMARC visibility without the technical effort is
  only the first step toward making DMARC
  enforcement available to everyone. 
• DMARC paves the way for new security standards
  and specifications that will benefit all
  departments, from IT to marketing. Brand
  Indicators for Message Identification (BIMI), a
  new email specification that allows brand logos
  to be shown within compatible email clients, is
  one example. To be qualified for BIMI (and the
  corresponding 10 boost in email engagement), a
  company's DMARC policy must be in place. Hence,
  it is advised to adopt DMARC as soon as it is
  feasible for your brand.