By next summer, most of the major Web-based email providers will have implemented a policy of strictly adopting the DMARC protocol.
Google, in a statement published Tuesday by DMARC.org, said it will move gmail.com to a policy of rejecting any messages that don’t pass the authentication checks spelled out in the DMARC specification.
DMARC, short for Domain-based Message Authentication, Reporting and Conformance, wards off email spoofing, which is central to most phishing attacks. The premise behind DMARC is that checks email against both the Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF) validation systems. If a message satisfies these checks it is sent through to the recipient, otherwise it’s quarantined.
The move complements similar initiatives from Yahoo and AOL; Yahoo is expected to move its mail services to DMARC on Nov. 2 after announcing on Oct. 5 an expansion of its use of the protocol.
Phishing remains a constant and viable threat, not only from cybercriminals interested in fraud and financial crime, but also in targeted attacks by criminal and nation-state attackers.
DMARC has been especially effective in ferretting out email address spoofing. Attackers falsify a user’s email address and use it to send out phishing or spam messages.
Google’s John Rae-Grant, lead product manager for Gmail, said in a statement that Google will also support the Authenticated Received Chain (ARC) protocol. The ARC spec says the protocol adds a cryptographically signed header to an email that helps the message move along in the event DMARC is broken.
“When Yahoo and AOL began protecting their customers from abuse, there was a small percentage of users who were negatively impacted by the change,” DMARC said in its statement, adding that ARC will be presented for approval at an upcoming meeting of the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) in Atlanta.
