Companies such as Google, PayPal, Facebook and Microsoft have teamed up to create a standard to help boost email security. They are part of a working group to create the DMARC standard, for Domain-based Message Authentication, Reporting & Conformance. It’s aimed at authenticating email to stop the spread of email that looks like it’s from a legitimate sender but is really an attempt to get someone to visit a malicious web site and enter his passwords.
The DMARC standard attempts to authenticate email by requiring both parties to implement DMARC-standard policies at either end. The idea is that an organization such as PayPal “signs” its outgoing email for all messages associated with its domains. Then when a recipient gets such a message in their email account (if their provider is participating in the program) the mail host checks for the authentication and lets the message through. If a message says it’s from Paypal, but does not have PayPal’s DMARC credentials it gets refused.
A report of which messages were received and refused are eventually sent back to the email sender. This allows legitimate senders to see if one of their domains isn’t currently credentialed, but it also lets them know how many attempts are made to spoof their address.
The result of all this is consumers will no longer see spoofed email messages from phishers. However, consumers and employees will still have to keep their eyes open for emails from hackers that might implement DMARC on their own domains, such as emails from paypa1.com. DMARC only stops “bad actors” from appropriating legitimate domains in a sender line, not from trying to send emails from similar domains.
And I’m sure some readers will be wondering why this is necessary given that tech savvy people can usually check to see who an email is actually from– to uncover the spoofing– but this is for everyone else on the web, who may not know exactly how to protect him or herself. With this standard, which the working group intends to submit to the IETF, tech companies are trying to plug some of the security holes in the web.
What we know as the web wasn’t a planned system, but an amalgamation of technologies that has ended up growing into a network connecting billions of people and things. Efforts such as DMARC join others, including the new IPv6 addressing effort or more efficient routing systems at improving an existing ecosystem without costing players too much or shutting things down.
The underpinnings of the DMARC standard are two common email security best practices that are already implemented at about half of the domains on the web and in about 80 percent of legit email. As for consumers, most will have protection on their webmail accounts such as Gmail or Hotmail. The biggest hole for the time being will likely be at mid-sized companies that still run their own email servers and who will have to wait for their email software provider to support the DMARC standard, before they can implement it.
The following additional companies are participating in the effort so far, but others can join now that it is launched: AOL, Bank of America, Fidelity Investments, American Greetings, LinkedIn, Agari, Cloudmark, eCert, Return Path and the Trusted Domain Project.