Google, Yahoo, AOL and a group of other large email senders and receivers have banded together to develop a new framework for sending and receiving email that is designed to stop phishing attacks and other email-borne scams. Called DMARC.org, the new group has come up with a specification called Domain-based Message Authentication, Reporting and Compliance that implements message authentication through the mail-transport agent and not the sender or user agents.
The specification is the product of a collaboration among the large email receivers such as AOL, Gmail, Yahoo Mail and Hotmail, and major email senders such as Facebook, Bank of America and others, all of whom have a vested interest in either knowing which emails are legitimate or being able to prove that their messages are authentic. The DMARC specification is meant to be a policy layer that works in conjunction with existing mail authentication systems such as DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework).
“Building upon the work of previous mail authentication standards like SPF and DKIM, DMARC is responding to domain spoofing and other phishing methods by creating a standard protocol by which we’ll be able to measure and enforce the authenticity of emails. With DMARC, large email senders can ensure that the email they send is being recognized by mail providers like Gmail as legitimate, as well as set policies so that mail providers can reject messages that try to spoof the senders’ addresses,” Adam Dawes, a Google product manager, said.
“We’ve been active in the leadership of the DMARC group for almost two years, and now that Gmail and several other large mail senders and providers — namely Facebook, LinkedIn, and PayPal — are actively using the DMARC specification, the road is paved for more members of the email ecosystem to start getting a handle on phishing.”
In the specification document, the DMARC participants lay out the technical details of the plan, which is seen mainly as a way to create a stream of authenticated email messages. Rather than being a replacement for DKIM or other previous frameworks, DMARC relies on DKIM and also depends upon the security of the existing DNS system to work.
“This document is significantly informed by ongoing efforts to enact large-scale, Internet-wide, anti-phishing measures. Whereas DMARC can only be used to combat specific forms of exact-domain phishing directly, the DMARC mechanism is viewed more importantly as a substantial step forward in terms of creating reliable and defensible message streams,” the specification says. “The DMARC mechanism is designed to enable highly accurate Internet- scale deployments of email authentication technologies. Anti-phishing measures are a compelling instance of what widely-deployed authenticated messaging streams can enable. As email authentication deployments continue to mature, additional authentication-enabled services are expected to be developed.”
Phishing attacks have been a large-scale problem for both users and email senders for more than a decade now, and generations of security and mail-filtering companies have risen and fallen with various attempts to fix it. There have been a lot of other industry groups and frameworks that have emerged over the years as well, and the latest ones, including DKIM and SPF, have met with some success. But the huge volume of spam and phishing mail that continues to choke users’ inboxes shows that this is still far from a solved problem, and one that is bothering the email senders and receivers as well as the end users.
Companies such as Bank of America, Facebook and PayPal that rely on email to communicate with their customers are among the more common targets of phishers who use a variety of techniques to spoof the sending domain and try to trick users into opening their scam messages. Some users, wary of these attacks, have gotten to the point of distrusting just about any email that purports to come from one of these companies, leading to problems in communication between the companies and their actual customers.
DMARC participants are optimistic that the new specification will help alleviate this problem.
“Our recent data indicates that roughly 15% of non-spam messages in Gmail are already coming from domains protected by DMARC, which means Gmail users like you don’t need to worry about spoofed messages from these senders. The phishing potential plummets when the system just works, and that’s what DMARC provides,” Dawes said in his blog post.