Implement DMARC for Trust Before Google AMP for Email

5 min readSep 4, 2020

This article originally appeared on the Agari Email Security Blog

By Michael Cichon, Vice President, Digital Marketing, Agari

With marketers more dependent on digital channels, many may accelerate their tests of Google’s AMP for Email technology in search of an edge. But without an email protocol called Domain-based Messaging Authentication, Reporting and Conformance (DMARC), fraudsters could weaponize the trust customers expect from your brand for their own evil intentions and put consumers and businesses at risk.

The resulting damage to brand reputation and email marketing revenue streams could prove devastating at the exact moment they’re needed most.

Officially rolled out last year, AMP for Email enables marketers to send dynamic email messages with interactive, app-like functionality built into the emails themselves. For example, recipients can schedule an appointment, receive real-time flight statuses, update subscription preferences, see real-time product availability (“Only 10 left!”), engage with product demos, or even place purchases from directly within the email itself — without having to click through to a website.

According to April Mullen, director of strategic insights for email marketing platform SparkPost, AMP for Email isn’t just an interesting development for email. “It might be the most interesting thing ever to happen to email.”

But it may also come with a catch. By increasing interaction with recipients and even enabling them to place transactions directly from within the body of an email, brands foster a level of trust that may give recipients a false sense of security when interacting with all of a brand’s email communications — including those that aren’t AMP enabled.

Without first securing the brand from impersonation via DMARC, that could create a security and reputational nightmare for brands and their customers. And while DMARC is not the only line of defense against brand impersonation attacks, it is the foundation on which others (e.g., protection against look-alike domains) can be built.

AMP for Email: The Indispensable Channel Gets an Upgrade

Before we get to why that’s the case, let me be clear: Mobile, social media, and instant messaging are all very cool. But, when it comes to efficacy and ROI, they don’t hold a candle to email.

A full 72% consumers and 86% of business professionals say email is the preferred channel for interacting with the brands they know and trust. And today, email marketing returns $42 for every $1 spent — a $4 increase in ROI just since 2018. It is by far the most valuable digital channel in your portfolio.

And that was the case before shelter-in-place mandates were initiated to counter the coronavirus pandemic. Since then, email open rates have soared (especially for discounts), and optimal email distribution times have shifted markedly. At the same time, however, volume is skyrocketing and clickthrough rates have drifted downward.

With consumers reporting that only 25% of the emails were deemed interesting enough to act on even before lockdowns began, brands are actively seeking new ways to break through — including AMP for Email.

Pinterest, for example, has used AMP for Email to enable users to pin items right from within an email message. Lending Tree has used it to deliver emails with a personal loan slider that adjusted interest rates and monthly payments as the user slides it from left to right. And a Lending Tree email featuring an interactive quiz recently produced an 86% increase in click-through rates.

Brand Impersonation: Exploiting a New Kind of Trust

Some are concerned all this interactivity could also offer hackers a whole new way to target your customers.

There are hypothetical scenarios such as AMP-based malware that some fear could access credit card numbers, passwords and other confidential information when recipients fill out a form, click on a CTA, or confirm an action.

I won’t pretend to be an expert on how any of that would work. AMP for Email requires brands to get whitelisted with Google, and authentication requirements include the use of Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM), with DMARC recommended.

If all goes well, AMP for Email will have customers interacting with emails and confident they can use them to share information or make transactions. But recipients may likely assume that every email brand that uses AMP is trustworthy. This is the potential problem: AMP for email encourages interactions, and those interactions imply trust. Hackers tapping into that trust by impersonate brands could do untold damage.

Just look at what has happened since the start of the COVID-19 pandemic. The email sending domains of the World Health Organization (WHO) and many others were pirated by cybercriminals who then impersonated those organizations in emails that tricked recipients into revealing login credentials to their cloud-mail and other cloud apps. Recipients of those emails placed trust in the messages, which turned out to their surprise to be trust misplaced.

DMARC Isn’t Just Optional

For this reason and more, we’d of course suggest that Google’s DMARC recommendation become mandatory.

First introduced in 2012, DMARC is an open standard email authentication protocol that works with DKIM and SPF to give brands control over who is allowed to send emails on their behalf. It has proven successful at stopping billions of brand impersonation-based phishing attacks from ever reaching targets.

At its most essential, DMARC enables email receiver systems to recognize when an email isn’t coming from a specific brand’s approved senders, and gives the brand the ability to tell email receiver systems what to do with these unauthorized email messages — including delivering them, quarantining them, or rejecting them outright.

When implemented properly with its strictest, “reject” enforcement policy, DMARC can protect your brand’s customers, partners, shareholders, and the general public from impersonation attacks launched from your domains. DMARC isn’t optional to preventing these imposters. It’s integral.

DMARC won’t protect you from impersonation attacks launched from lookalike domains, however. For that, brands should source solutions that combine DMARC and lookalike defenses.

B2C Is Not Alone: Targeting Your B2B Customers

Brand impersonations don’t just target consumers — they can also target your partners and suppliers.

That means not only should you deploy DMARC, but so should every company in your supply chain. According to the FBI, advanced email threats result in more than $700 million in business losses each month, and 40% of that involves supply chain partners.

Whoever the target — B2C or B2B — your brand is likely to get the blame, costing you millions in lost business and customer defections or even lawsuits. And recipients may avoid your legitimate email marketing campaigns like the plague — if your email domains aren’t outright blacklisted by ISPs.

But according to Forrester Research, proper DMARC implementation has been shown to reduce phishing-based brand impersonation scams to near zero almost instantaneously, while email conversion climb an average 10%, leading to an average $4 million boost in revenue thanks to increased email engagement.

For me, that makes DMARC more than a “recommendation” — regardless of whether you ever adopt AMP for Email to boost your email marketing programs.

Checkout Forrester’s Total Economic Impact study for Agari Brand Protection™ here.




Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.