Google is tightening its policy for handling emails that fail the authentication checks of the Domain-based Message Authentication, Reporting & Conformance (DMARC) standard.
Starting June 2016, Google’s policy will be to reject outright all emails that fail the DMARC checks to protect against domain spoofing attacks, a company executive said Tuesday.
“Google is committed to email authentication,” John Rae-Grant, lead project manager for Gmail, said in a statement issued by DMARC.org Tuesday. “In June of 2016, we will be taking a big step by moving gmail.com to DMARC policy p=reject,” Rae-Grant said, referring to the stricter policy standard the company will begin using.
Google is joining Yahoo and AOL in implementing stricter DMARC, which is a widely used standard designed to let email receivers and senders verify if a message is really from a purported sender or not. It provides policies that organizations can use to decide what to do with an email message that fails the authentication tests implemented under the standard.
Yahoo and AOL have claimed huge success in combating email fraud by using DMARC to reject emails containing their domain names but originating from external email servers. Yahoo’s initial success with DMARC recently prompted the company to announce plans to extend use of the standard to its Ymail and Rocketmail services as well.
With Google’s proposed policy change next year, the company too will instruct all email servers and services to reject messages from gmail.com that either do not originate from its servers or fail other DMARC authentication checks.
DMARC was developed as a way to combat fraud resulting from email address spoofing. This is a type of fraud where attackers forge real email addresses and use them to send spam and phishing emails to victims who often fall for the hoax because the emails appear to originate from sources they trust.
DMARC offers a mechanism for authenticating the origin of an email and allows receivers to either quarantine, report or reject messages that fail the checks. Domain owners and email services can use DMARC to instruct other email servers on how to handle messages that appear to be coming from their domain but fail the authentication checks.
As part of the transition, Google will adopt a recently developed protocol dubbed Authenticated Received Chain (ARC) to enable mailing list operators and other legitimate email forwarding services to deal with the stricter DMARC policy.
Currently, many legitimate emails sent by forwarding services and mailing lists are rejected because they fail DMARC checks. The ARC protocol is designed as a way around the issue by giving such services a way to authenticate forwarded emails in a manner that is compliant with DMARC’s checks.
“What happens with ARC is the mailing list is able to say ‘hey I got this message, it checked out okay, but I’m making changes to it so [DMARC authentication] won’t work,'” said Steven Jones, executive director of DMARC.org. The ARC protocol allows such services to securely declare their involvement in the forwarding of an email, so that email servers don’t reject the emails, Jones said in a conversation with eWEEK.
Jones described Google’s decision to start rejecting emails that fail DMARC checks as a significant step forward in combating email fraud. The more the domains that adopt the stricter DMARC policy, the harder it becomes for people to impersonate domains. “It raises the bar a bit on the amount of effort it takes to spoof an email,” Jones said.