Email used to be a useful utility but it has been rendered nearly useless by the massive growth of spam, phishing and other deceptive techniques.  Fifteen large tech and financial firms are hoping to change that.

Google, Yahoo, PayPal and AOL are among the firms behind DMARC.org, a technical working group that has been developing standards for reducing the threat of deceptive emails.

"Email phishing defrauds millions of people and companies every year, resulting in a loss of consumer confidence in email and the Internet as a whole," said Brett McDowell, Chair of DMARC.org and Senior Manager of Customer Security Initiatives at PayPal. "Industry cooperation -- combined with technology and consumer education -- is crucial to fight phishing."

DMARC.org's founders say it draws upon a history of private industry collaboration with 18 months of dedicated work, to outline an enhanced vision for email authentication that can scale up to today's Internet needs. The group's work includes a draft specification that helps create a feedback loop between legitimate email senders and receivers to make impersonation more difficult for phishers trying to send fraudulent email.

Authentication lacking

The DMARC specification addresses concerns that have traditionally hindered widespread deployment of an authenticated, trusted email ecosystem. Today, email receivers lack a reliable way to know the extent to which an email sender uses standards like SPF and DKIM for authenticating their messages.

As a result, providers must rely on complex and imperfect measurements to separate legitimate unauthenticated messages sent by the domain owner from fraudulent phishing messages sent by a scammer.

By introducing a standards-based framework, DMARC has defined a more comprehensive and integrated way for email senders to introduce email authentication technologies into their infrastructure.

For example, a sender could set policies to easily request a provider to discard unauthenticated email in order to block phishing attacks. The specification also creates a mechanism for email providers to send detailed reports back to email senders to help catch any gaps in the authentication system. This feedback loop raises the trust level within the email ecosystem and makes it easier to detect and stop phishing attempts.

"[The working group] has been committed to defining and improving email authentication standards and practices to meet the financial services industry's needs. DMARC's evolutionary approach is critical in assuring these needs are met for years to come," said Paul Smocer, President of BITS, the technology policy division of The Financial Services Roundtable.

DMARC.org (Domain-based Message Authentication, Reporting and Conformance) is an unincorporated working group made up of many of the world's leading email providers (AOL, Gmail, Hotmail, Yahoo! Mail), financial institutions and service providers (Bank of America, Fidelity Investments, PayPal), social media properties (American Greetings, Facebook, LinkedIn) and email security solutions providers (Agari, Cloudmark, eCert, Return Path, Trusted Domain Project). The group is dedicated to developing Internet standards to reduce the threat of email phishing and to improve coordination between email providers and mail sender domain owners.

 


Share your Comments