Google, Microsoft Team Up to Fight Phishing, Spoofed Emails With DMARC

Fifteen companies including PayPal, Google, Microsoft and Facebook are banding together to fight domain-based phishing and other email scams with the new DMARC specification.

Google, Yahoo, Microsoft and other major email providers are committed to stomping out phishing attacks and other email-based Web scams.

Major brands, such as Bank of America and Facebook, joined large email providers to announce Jan. 30 the new Domain-based Message Authentication, Reporting and Conformance framework along with an associated working group,

DMARC is an authentication layer for email that will make email messages trustworthy again and make phishing more difficult, Brett McDowell, chair of and senior manager of customer security initiatives at PayPal. Fifteen companies have joined to date.

DMARC will not block all malicious emails, participants warned. Rather, it targets a very specific form of domain-based phishing, namely messages that have been spoofed to look like it came from a specific domain. If deployed correctly by both the outgoing mail server and the recipient servers, DMARC will help organizations identify and flag messages that claim to be sent by but sent by a server not associated with PayPal, McDowell said.

"Email phishing defrauds millions of people and companies every year, resulting in a loss of consumer confidence in email and the Internet as a whole," said McDowell.

The draft specification creates a feedback loop between legitimate email senders, such as Facebook, LinkedIn, Bank of America and PayPal, and mail receivers, such as Google, Yahoo, Microsoft and AOL. Google has deployed it for Gmail, Yahoo for Yahoo Mail, and Microsoft for Hotmail. For users of those email services, every mail they receive purporting to be from Facebook, LinkedIn and PayPal would be authenticated because both ends of the transaction use DMARC, according to McDowell.

"Agari and our partners have invested the past two years to build upon industry specifications to create the most efficient and far-reaching model for eliminating domain phishing," said Patrick Peterson, CEO of Agari.

DMAR would not stop all spam or phishing, but will stop a "significant chunk" of malicious messages being sent, said Paul Midgen, senior program manager on the delivery and safety team for Windows Live Hotmail at Microsoft.

Recent Google data found that roughly 15 percent of non-spam messages in Gmail are coming from domains protected by DMARC, "which means Gmail users like you don't need to worry about spoofed messages from these senders," Adam Dawes, a Google product manager, wrote on the Google Online Security Blog.

The DMARC specification is intended to work with existing mail authentication systems such as DomainKeys Identified Mail and Sender Policy Framework and the security of the Domain Name System records, according to McDowell. Instead of replacing DKIM or SPF, DMARC creates a stream of authenticated email messages. Mail servers processing incoming mail currently do not have a reliable way to know which senders are using SPF or DKIM, making it a challenge to tell whether the originating server was legitimately associated with the domain or not, McDowell said.

DMARC adds "significant value to SPF and DKIM," said Midgen.

Since DMARC would be deployed on both ends of the email transmission, receivers know which servers are authentic. Domain owners can also write policies that instruct all mail servers that use DMARC data to automatically flag or discard messages that are sent from servers other than the ones under their control.

The phishing potential "plummets when the system just works," according to Dawes.

Mail administrators can configure DMARC to write policies for treating bad email. They can choose to let the malicious mail through, but to monitor what is happening, treat the message as suspicious and flag it for users, or reject the message outright and block it from reaching user in-boxes.

Email security platform Agari offers organizations a ready-made platform to access DMARC data for instant analysis without having to implement the framework on their mail servers. Agari claimed to already reject more than 1.5 million messages per day using DMARC data for its customers, and approximately 1 million messages get flagged as spam.

Even if organizations are not ready to "take on the challenge" of authenticating all the outbound mail, "there's no reason to not sign up to start receiving reports of mail that fraudulently claims to originate from your address," Dawes wrote.

Email certification and reputation-monitoring company Return Path fully supports the DMARC specification in its Domain Assurance anti-phishing offering. Domain Assurance analyzes data sent via DMARC to provide customers with detailed reports about the messages being sent using the domain name and where it's being sent from, according to Return Path.

"Fast, widespread adoption of DMARC will make a significant dent in scammers' ability to perpetuate crime through email," said Matt Blumberg, CEO of ReturnPath.

The specification will be submitted to the Internet Engineering Task Force to become a standard, according to

However, there were concerns that DMARC might not make that much of a difference. While DMARC was a "good idea," it's "unlikely to be a game-changer," said Josh Daymont, a principal at Securisea. While larger mail service providers may adopt the framework, there are "hundreds of thousands, if not millions, of small companies that run their own email servers" who may not bother adopting the specification, Daymont said.