Fifteen companies including PayPal, Google, Microsoft and Facebook are banding together to fight domain-based phishing and other email scams with the new DMARC specification.
Google, Yahoo, Microsoft and
other major email providers are committed to stomping out phishing attacks and
other email-based Web scams.
Major brands, such as Bank
of America and Facebook, joined large email providers to announce Jan. 30 the
new Domain-based Message Authentication, Reporting and Conformance framework
along with an associated working group, DMARC.org.
DMARC is an authentication
layer for email that will make email messages trustworthy again and make
phishing more difficult, Brett McDowell, chair of DMARC.org and senior manager
of customer security initiatives at PayPal. Fifteen companies have joined
DMARC.org to date.
DMARC will not block all
malicious emails, DMARC.org participants warned. Rather, it targets a very
specific form of domain-based phishing, namely messages that have been spoofed
to look like it came from a specific domain. If deployed correctly by both the
outgoing mail server and the recipient servers, DMARC will help organizations
identify and flag messages that claim to be sent by PayPal.com but sent by a
server not associated with PayPal, McDowell said.
defrauds millions of people and companies every year, resulting in a loss of
consumer confidence in email and the Internet as a whole," said McDowell.
The draft specification
creates a feedback loop between legitimate email senders, such as Facebook,
LinkedIn, Bank of America and PayPal, and mail receivers, such as Google,
Yahoo, Microsoft and AOL. Google has deployed it for Gmail, Yahoo for Yahoo
Mail, and Microsoft for Hotmail. For users of those email services, every mail
they receive purporting to be from Facebook, LinkedIn and PayPal would be
authenticated because both ends of the transaction use DMARC, according to
"Agari and our
DMARC.org partners have invested the past two years to build upon industry
specifications to create the most efficient and far-reaching model for
eliminating domain phishing," said Patrick Peterson, CEO of Agari.
DMAR would not stop all spam
or phishing, but will stop a "significant chunk" of malicious
messages being sent, said Paul Midgen, senior program manager on the delivery
and safety team for Windows Live Hotmail at Microsoft.
Recent Google data found that
roughly 15 percent of non-spam messages in Gmail are coming from domains
protected by DMARC, "which means Gmail users like you don't need to worry
about spoofed messages from these senders," Adam Dawes, a Google product
manager, wrote on the Google
Online Security Blog
The DMARC specification is
intended to work with existing mail authentication systems such as DomainKeys
Identified Mail and Sender Policy Framework and the security of the Domain Name
System records, according to McDowell. Instead of replacing DKIM or SPF, DMARC
creates a stream of authenticated email messages. Mail servers processing
incoming mail currently do not have a reliable way to know which senders are
using SPF or DKIM, making it a challenge to tell whether the originating server
was legitimately associated with the domain or not, McDowell said.
DMARC adds "significant
value to SPF and DKIM," said Midgen.
Since DMARC would be
deployed on both ends of the email transmission, receivers know which servers
are authentic. Domain owners can also write policies that instruct all mail
servers that use DMARC data to automatically flag or discard messages that are
sent from servers other than the ones under their control.
The phishing potential
"plummets when the system just works," according to Dawes.
Mail administrators can
configure DMARC to write policies for treating bad email. They can choose to
let the malicious mail through, but to monitor what is happening, treat the
message as suspicious and flag it for users, or reject the message outright and
block it from reaching user in-boxes.
Email security platform Agari
offers organizations a ready-made
platform to access DMARC data for instant analysis without having to implement
the framework on their mail servers. Agari claimed to already reject more than
1.5 million messages per day using DMARC data for its customers, and
approximately 1 million messages get flagged as spam.
Even if organizations are
not ready to "take on the challenge" of authenticating all the
outbound mail, "there's no reason to not sign up to start receiving
reports of mail that fraudulently claims to originate from your address,"
Email certification and
reputation-monitoring company Return Path fully supports the DMARC
specification in its Domain Assurance anti-phishing offering. Domain Assurance
analyzes data sent via DMARC to provide customers with detailed reports about
the messages being sent using the domain name and where it's being sent from,
according to Return Path.
adoption of DMARC will make a significant dent in scammers' ability to
perpetuate crime through email," said Matt Blumberg, CEO of ReturnPath.
The specification will be
submitted to the Internet Engineering Task Force to become a standard,
according to DMARC.org.
However, there were concerns
that DMARC might not make that much of a difference. While DMARC was a
"good idea," it's "unlikely to be a game-changer," said
Josh Daymont, a principal at Securisea. While larger mail service providers may
adopt the framework, there are "hundreds of thousands, if not millions, of
small companies that run their own email servers" who may not bother
adopting the specification, Daymont said.