15 companies, including Google, Facebook, Microsoft, Yahoo, PayPal joined forces on a “technical working group” to jointly work on a standard for blocking phishing e-mails by verifying that they come from legitimate companies. It seems obvious that trusted, legitimate companies could come together to do this, but it’s only started happening in the last 18 months.
What is DMARC Work?
DMARC.org – or the Domain-based Message Authentication, Reporting, and Conformance – is a new white-list system will be available for use across the Internet. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC. This will encourage senders to more broadly authenticate their outbound email which can make email a more reliable way to communicate.
How Does DMARC Work?
A DMARC policy allows a sender to indicate that their emails are protected by SPF(sender policy framework) and/or DKIM (domain keys identified mail), and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.
What DMARC has done, supposedly, is to integrate authentication more completely into their infrastructure. “A sender could set policies to easily request a provider to discard unauthenticated email in order to block phishing attacks” the group suggests; meanwhile, comprehensive reports are supplied to help spot any loopholes or gaps in the system.
The other companies in the DMARC working group are AOL, Bank of America, Fidelity Investments, American Greetings, LinkedIn, and e-mail security providers Agari, Cloudmark, eCert, Return Path, and Trusted Domain Project. The move follows an announcement in November that Google, Microsoft, Yahoo, AOL, and Agari were authenticating emails from Facebook, YouSendIt, and other e-commerce companies and social networks.
According to Google, about 15 percent of all e-mail comes from members of DMARC, but by published their DMARC records, these records can not be domain spoofed. This makes the anti-phising group much more effective at stopping criminal gangs from using phasing to dupe unsuspecting users.
DMARC.org plans to submit the DMARC specification to the Internet Engineering Task Force (IETF) for standardisation.