DMARC: The Latest Weapon in the Fight against Phishing
By Ken Magill
A group of some of some of the most well-known brands doing business on the Internet unveiled a plan yesterday that is possibly the most significant development in the battle against phishing in years.
Dubbed Domain-based Message Authentication, Reporting and Conformance, or DMARC (dee-mark), the scheme is an extension of email authentication, where senders publish certain information, such as what IP addresses are authorized to send messages on their brand’s behalf, so the ISPs can more readily identify email coming from those brands.
However, though authentication helps identify authorized senders, ISPs have apparently struggled with what to do with unauthenticated messages. The reason: Just because they’re not authenticated doesn’t necessarily mean they’re fraudulent.
For one thing, email authentication has not reached 100 percent adoption. Moreover, many emailers who have implemented email authentication have reportedly not authenticated all of their outbound messaging.
For example, a company’s marketing messages might be authenticated while its customer service or transactional messages are not.
And in instances where companies have authenticated all of their email, there is still the difficulty of informing all the various ISPs that the authentication process for a particular brand is complete.
Most companies don’t have the relationships with ISP abuse desk employees that would be necessary for them to communicate that any unauthenticated email purporting to come from their brand is probably phony.
DMARC allows email senders to automatically tell email inbox providers when all of their servers are authenticated.
As a result, when unauthenticated email arrives at an ISP purporting to be from a company that has published a DMARC record, the ISPs can more readily identify it as phony and take appropriate action.
The DMARC specification also allows the sender to instruct the ISPs what they would like done with phony messages pretending to be from their brand, such as quarantine or block them.
“The gap that has always existed between authentication and having ISPs enforce policy has always been that the ISPs didn’t necessarily know whether a big-brand dot-com was authenticating all of their email,” said Sam Masiello, general manager, anti-phishing services for email deliverability and security firm Return Path, one of the companies involved in drafting DMARC.
“They may see some authenticated email coming in,” he added. “But what they don’t know is whether all of the email from big-brand dot-com is authenticated. DMARC allows us to close the loop between the brand and the ISPs.”
He added: “Now the big-brand dot-com can say: ‘I know I’m authenticating all of my email and I want the ISPs to enforce a specific policy on email that is not authenticated.”
The DMARC specification also allows senders to get unauthenticated email purporting to be from them forwarded to them.
“The brand gets visibility into what’s authenticating and what’s not,” said Masiello. “As a result, the brand can see if the email that is not authenticating properly is an actual phishing attack or possibly a third-party vendor they’re working with that is not [authenticating] properly.”
Besides Return Path, organizations involved in developing the DMARC specification include leading email providers AOL, Gmail, Hotmail and Yahoo! Mail, some of the most highly phished brands including Bank of America, Fidelity Investments, PayPal, American Greetings, Facebook and LinkedIn, and email security concerns Agari, Cloudmark and Trusted Domain Project.