New Email Spec Aims to Tangle Phishing Lines
Fifteen leading email service providers and tech companies have announced a joint effort to fight phishers.
Google, Facebook, PayPal, Yahoo and Agari are among the companies behind the Domain-based Message Authentication, Reporting and Conformance (DMARC) spec.
DMARC is a technical specification that standardizes how email receivers perform email authentication using well-known mechanisms.
"The inspiration behind DMARC was PayPal's and Google's attempt to stop phishing together, but they quickly realized the model they were pursuing could not scale," said Daniel Raskin, vice president of marketing at Agari. That led to the formation of DMARC.
"For years now, cybercriminals have been leveraging brand content such as formatting, content and logos from the marketing emails of companies to create messages that attempt to drive users to sites where they will give up sensitive information such as usernames and passwords," Sam Masiello, general manager and chief security officer at Return Path, told TechNewsWorld.
What Does DMARC Do?
SPF lets administrators specify which hosts are allowed to send mail from a given domain by creating a specific SPF record in the domain name system (DNS). Mail exchangers use the DNS to verify that mail from a given domain is being sent by a host approved by that domain's administrators.
DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.
However, deploying SPF and DKIM is difficult because there's no scalable way for senders to indicate they want feedback and where that feedback should be sent.
DMARC lets senders establish policies in the public DNS that indicate their emails are protected by SPF or DKIM or both, and tell a receiver what to do if an email isn't approved by either of those authentication methods. For example, the policy could tell the receiver to treat a suspect email as junk or reject it.
Further, DMARC provides a way for the email receiver to report back to the sender about messages received.
DMARC will let companies whose brands and formats are being leveraged by phishers "set policies which will tell ISPs to block these messages regardless of content or source IP address," Return Path's Masiello said.
Although DMARC lets email senders, such as Facebook, collect data from receivers, such as AOL and Gmail, it "is not a solution or product," Agari's Raskin told TechNewsWorld. "It's a blueprint only."
Email senders need to be able to process data they get from receivers. That's where Agari comes in. The company, a primary author of the DMARC spec, offers a big data platform for processing alerts, reporting and policy within the DMARC standard.
"Organizations interested in implementing the DMARC standard really have two options -- build a platform and the functionality needed to process raw DMARC data or use a cloud service," Raskin said.
Why DMARC? Why Now?
SPF and DKIM have been implemented by secure email providers such as Return Path, but the company has found that they are not widely used by email senders such as online marketers.
Little more than half the IPs with high sender scores, meaning they got few complaints, used DKIM, and only about 34 of them employed SPF.
"Google and other companies have been talking about how we can move beyond the solutions we've developed individually over the years to make a real difference for the whole email industry," Adam Dawes, a product manager at Google, told TechNewsWorld. Google process billions of messages daily, both spam and clean messages.
Roughly 15 percent of non-spam messages in Gmail are already coming from domains protected by DMARC, Dawes added.
Microsoft Hotmail currently supports "a private-channel policy exchange, which provides protection and reporting equivalent to DMARC," Dick Craddock, company partner group program manager, told TechNewsWorld.
Hotmail uses DKIM and SenderID to authenticate emails and protect against phishing. It also makes several tools available to users.
Microsoft "will ship support for retrieving DNS-based DMARC policies later this year," Craddock said.