DMARC Research Timeline

Timeline of the Zulu Labs Inc Trusted Sender Score Investigation into the effects DMARC has had on cyber security and email reputation and delivery.

DMARC History & Research Timeline

The timeline shows key industry milestones and Zulu Labs Inc observations with respects to adoption of DMARC (Domain Messaging and Reporting Conformance) RFC 7489.

  • 21 Mar, 2013
  • DMARC Concept Introduction

    Domain-based Authentication, Reporting & Conformance (DMARC) is made available to the public for the first time to comment.

  • April. 2014
  • Submission Track Release

    The following organizations were the Founding contributors and saw the project go live after numerous planning, commentary and refining:
    Receivers: AOL, Comcast, GMail, Hotmail, Netease, Yahoo! Mail
    Senders: American Greetings, Bank of America, Facebook, Fidelity, JPMorgan Chase & Co., LinkedIn, PayPal
    Intermediaries & Vendors: Agari, Cloudmark, ReturnPath, Trusted Domain Project

    Yahoo Pioneers with significant issues and backlash

    The implementation was for Yahoo mailing-lists with the intent of reducing the phishing and malicious emails users were sending.
  • February. 2015
  • Zulu eDM - Internal Decision To Watch Uptake

    At this stage there was no industry push or set of business guidelies for email service providers or businesses to follow. There was indication from our logs that any ISPs or webmail providers had adopted the standard. We set this to a watch only action.
  • November, 2015
  • Google / Gmail moves to strict DMARC

    The third and SECOND last Giant Webmail provider to implement a strict DMARC policy.

  • April, 2016
  • Zulu eDM Prpject Start - We start seeing DMARC effects

    A client sending more than 1 million emails per day starts to see big delivery and open rate drop-offs. Our investigation led to the Webmail providers not accepting support tickets unless the emails were sent from a DMARC comliant domain.

  • July, 2016

    Off the back of US Government recommendations, The Australian Government issued the Mailicious Email Mitigation Strategy recommending that DMARC being implemented for inbound ONLY emails. David Barnes starts to examine and investigate why only inbound when the domain is NOT protected from illegal use.

  • November, 2016
  • Phase 1 Complete- Franchise & Large Senders

    Initially we invited a few customers that had risk exposure and delivery variances to implement the DMARC program in their Zulu eDM Account. We started to use DMARCIAN as our preferred policy reporting tool.

    Meeting with Return Path - Sydney

    Return Path who manage many of the World's Feedback Loops confirmed the Zulu inplementation would meet thier standards for ALL organisation types including Franchise Networks.
  • May, 2017
  • Phase 2 Complete - Product Management Complete

    Implementing the staff user interface and business rules was completed and launched.

    The enormity of the task and impact on businesses became truly apparent. More testing and monitoring was needed to understand the best mechanisms to proetct a business from domain risk. Significant domain repuatation effects were seen from poor campaign practices. This was not conclusive.
  • August, 2017
  • Final Phase Complete - DMARC Mandated

    This release enabled all account holders use a DMARC enabled domain. Although untested we foud no evidence of any other product enforcing the authentication.

    FREE Account holders were allocated a mail redirect using our domain as their SMTP:FROM (Return Path). To ensure All client sign-ups are vetted and cross referenced for aurthenticity.

    The enormity of the task and impact on businesses became truly apparent. More testing and monitoring was needed to understand the best mechanisms to protect a business from domain risk. Significant domain repuatation effects were seen from poor campaign practices. This was not conclusive.

    The effect and variance on domain reputation and therefore deliverability of small irregular senders of email was significant and a concern.
    DMARCIAN assigns double check status to Zulu eDM Email Services.

    Zulu eDM publishes the World's first Anti-SPOOF and Phishing policy, designed to give visibility ot the domanis and applications that send email on our behalf.

  • January, 2018
  • US Govt Increases DMARC to Reject and hopes businesses follow.

    Our interpretation of this announcment, other than the obvious security enhancement is to encourage any businesses looking to interact via email to implement DMARC.

    Non compliant companies will not get email through to the US Government.
    Adoption of DMARC increases significantly in the US.
  • February, 2018
  • Zulu eDM Releases SMTP Relay

    Having the only access to DMARC only data as an ESP we could clearly see that a mixed mail strategy is the most effective way to maintain email reputation across the enterprise or small business.

    Key research shows that automated marketing emails, excessive list blasting and subscriber opt-in IP address matching are all critical success factors that will help businesses benefit and not suffer by being accountable.
  • May, 2018
  • Zulu eDM Launches Trusted Sender

    Our research has concluded that the email clients and webmail providers are implementing trust / protection tools in many in different ways if at all. So how can we help to share our knowledge and give the general public a resource to help identify good and responsible senders of email? We launched Trusted Sender, helping to vet senders through best practices, technology implementation, education and processes to prevent attacks.

    How does the general public know that the invoice they received is real or a SPOOF?
    How do non technical users of email check that on how likely or unlikeley the email they have received has taken the necessary steps to prevent it's illegal use?
    Raise public awareness to the fact that receiving a SPOOF from a supermarket and falling for the SCAM now has possible ramifications of negligence if companies choose to do nothing when there is now a solution.

    The Trusted Sender Mascot

  • 12 June, 2018
  • Trusted Sender App & Supporting Informatiom Launched

    The first notice to clients and partners sharing both Trusted Sender and the Community App, Email Sender Check was sent by David Barnes. The email was posted in full on the Trusted Sender blog.

    It is the first time that we know of that organizations have been made aware of the pending possible liability they may face if their domain is SPOOFED. Thee key observations we shared:

    Observation 1: The main purpose of protecting your domain from illegal email activity is to protect the community against email related criminal activities. Failure to do so using freely available technology may result in claims against the domain owner of being negligent resulting in compensation and in some cases criminal charges.

    Keep up to date with the Trusted Sender Blog

    Trusted Sender Blog

  • 14 June, 2018
  • ACCC Scam Watch & Queensland Government Informed

    The Australian Competition & Consumer Commission (ACCC) who provide the SCAM Watch web site and the Queensland Government were both advised of the following:
    The information on how to check a Phishing and email scam should be updated. Organizations are able to STOP their domains from being SPOOFED. If they do not they can face legal action if email users fall victim to a phishing or email scam using an organizations domain.
    We have published a FREE sender check app for anyone to check the authenticity of a sender and if they should be cautious or if they are safe
    For further information please review our research
    SCAM Watch ACCC QLD SCAM Watch

    The following checks (searches) were subsequently performed on Email Sender Check:
  • July 18, 2018
  • Schools, Insurers & Law Firms Made Aware

    There is no reason why an email SCAM using a SPOOFed domain should effect the general public. David Barnes has been meeting and discussing the issue with top law firms and insurers to educate the industries with respects to this problem and the available solution.

    A comment was made that the incoming mail servers need to check for DMARC to create a liability for the domain owner, that covers over 85% or the internet email users!

    So far ONLY 2 firms have implemented DMARC or even pursued this matter.
  • July 30, 2018
  • Agari, Oracle & Zulu Aligned

    In discussions (pre any non-disclosure) Agari (one of the Worlds leading email security firms), the email team at Oracle and Zulu are all aligned with the research presented here and how the market will adjust quickly to the DMARC issue.

    Interestingly the information we had to share on what happens post implementation to domain reputation is an aspect that has been not really been looked at before. Our published information is correct.

  • September 9, 2018
  • Email Sender Check launches a Wiki for contribution

    This is such a new space we felt it needed contributors from all industries. The Wiki can be found here

  • December 1, 2019
  • Zulu Trusted Sender is Launched

    What is now Trusted Sender Score was first launched on the domain. The project was built to help recipients of emails to understand which email domain they can trust using a simple metric from 0-10. The application featured FREE DMARC related tools for domain administrators.

    DMARC Research Data

    With the release of Zulu Trusted Sender came our free DMARC Research Datasets which still is available and can be found here

    Trusted Sender Score Datasets

    Subsequently in 2022 we have released new datasets based on domain trusted Sender Scores. The Trusted Sender Scores Domain Index can be found here
  • January 7, 2022
  • Trusted Sender Network Released

    The Cyber Security and Domain application, Trusted Sender Network, was released for general sign up. The application is free for single domain use. The application is used to monitor and manage email and domain cyber security requirements and in addtion provided tools to monitor Trusted Sender Scores.

We will continue to update this timeline as key milestones occur around the Globe

Search a Domain | Back to Start