Companies such as Google, PayPal, Facebook and Microsoft have teamed up to create a standard to help boost email security. They are part of a working group to create the DMARC standard (Domain-based Message Authentication, Reporting and Conformance). It is aimed at authenticating email to stop the spread of email that looks like it is from a legitimate sender but is really an attempt to get someone to visit a malicious website and enter his passwords.
The DMARC standard attempts to authenticate email by requiring both parties to implement DMARC-standard policies at either end. The idea is that an organization such as PayPal “signs” its outgoing email for all messages associated with its domains. Then when a recipient gets such a message in his email account (if his provider is participating in the program) the mail host checks for the authentication and lets the message through. If a message says it is from PayPal but does not have PayPal’s DMARC credentials, it gets refused.
A report of which messages were received and refused are eventually sent back to the email sender. This allows legitimate senders to see if one of their domains isn’t currently credentialed, but it also lets them know how many attempts are being made to spoof their address.
The result is consumers will no longer see spoofed email messages from phishers. However, consumers and employees will still have to keep their eyes open for emails from hackers that might implement DMARC on their own domains, such as emails from paypa1.com. DMARC only stops “bad actors” from appropriating legitimate domains in a sender line, not from trying to send emails from similar domains.
Some readers will be wondering why this is necessary, given that tech-savvy people can usually check to see whom an email is actually from to uncover the spoofing. But this is for everyone else on the web, who may not know exactly how to protect themselves. With this standard, which the working group intends to submit to the IETF, tech companies are trying to plug some of the security holes in the web.
The web wasn’t a planned system but an amalgamation of technologies that has ended up growing into a network connecting billions of people and things. Efforts such as DMARC join others, including the new IPv6 addressing effort or more-efficient routing systems, to improve an existing ecosystem without costing players too much or shutting things down.
The underpinnings of the DMARC standard are two common email security best practices that are already implemented at about half of the domains on the web and in about 80 percent of legit email. As for consumers, most will have protection on their webmail accounts such as Gmail or Hotmail. The biggest hole for the time being will likely be at midsize companies that still run their own email servers and that will have to wait for their email software provider to support the DMARC standard before they can implement it.
The following additional companies are participating in the effort so far, but others can join now that it is launched: AOL, Bank of America, Fidelity Investments, American Greetings, LinkedIn, Agari, Cloudmark, eCert, Return Path and the Trusted Domain Project.