New DMARC email authentication aims to stop phishing

Geoff Duncan

January 30, 2012 at 5:17 PM

Email spam has been a problem for even longer than commercial activity has been permitted on the Internet, and thanks to botnet operators, scammers, and outright cybercriminals spam has ballooned to account for the vast majority of all email. Although antispam technologies and filters have improved considerable over the years—and there have been some notable victories, like the takedown of the Rustock botnet last year—email operators and end users are always playing catch-up to the spammers, who always seem to find new ways to get a few messages into people’s inboxes.

A new email authentication framework backed by the likes of Microsoft, Google, AOL, Yahoo, and Facebook looks to put an end to that—or, at least, some of that. The new Domain-based Message Authentication, Reporting & Conformance (DMARC) specification aims to make it easier to verify whether email messages are legitimate. The DMARC spec has been in the works for over 18 months, and now the DMARC organization has taken the wraps off it in preparation for proposing it to the IETF as an Internet standard. Members of the DMARC group include major email providers like Yahoo, Google, and Microsoft, security companies like eCert, Agari, and Cloudmark, as well as member of the financial community like PayPal, Bank of America, and Fidelity Investments.

As most Internet users know, there’s nothing secure about plain-jane email: anyone can put any address they like into the “from” line of a message to make it appear to be from someone else. Spammers and particular phishers abuse this lack of security, crafting messages that appear to be legitimate in an effort to get users to click a link (which, more than likely leads to a malware or scareware site) or to divulge personal information like passwords, birth dates, and account numbers, which in turn will be used in forms of identity theft.

The DMARC spec builds on previous authentication mechanisms like Sender ID, SPF, and DKIM and aims to provide an easily-to-implement standard that augments SPF and DKIM. Both SPF and DKIM aim to validate whether mail from a particular domain (not a particular user) is legitimate: i.e., if a machine in the domain example.com wants to deliver a message that claims to be from yahoo.com, either SPF or DKIM could be used to determine whether Yahoo lets example.com deliver mail on its behalf. If so, great, the message will be accepted. If not, the receiving server has to make a decision about whether it wants to treat the message as legitimate.

Without a standard, major email senders and providers have had to work out individual arrangements with each other to verify messages, report problems, and attempt to block fraudulent mail before it reaches users—often with the result that legitimate (but unauthenticated) mail gets rejected. DMARC aims to improve that, creating a standard that embraces both SPF and DKIM and creates a standard feedback mechanism so site operators can more easily identify problems with email delivery or reception.

Embracing both SPF and DKIM means email operators can embrace whichever standard makes the most sense for them. SPF is the easiest to implement, and works by publishing email sender polices as part of a site’s DNS information: that’s manageable for simple setups but doesn’t always scale well for complex operators. DKIM, conversely, relies on cryptographic verification—it’s harder to set up, but easier to scale for truly massive email operators.

The proposed DMARC standard is explicitly aimed at phishing and making it much harder for scammers to get legitimate-looking email into inboxes in an effort to get people to reveal information or click links to malicious sites—and that’s one reason the financial community is interested in the technology. However, the DMARC standard doesn’t do anything to make the “from” line in messages any more authentic: even if DMARC gets accepted as a standard, everyone will still have open season on “from” lines—so always take them with a grain of salt.

This article was originally posted on Digital Trends

News

Life

Entertainment

Finance

Sports

New on Yahoo

New DMARC email authentication aims to stop phishing

Recommended Stories

Jamie Dimon is worried the US economy is headed back to the 1970s

Based on the odds, here's what the top 10 picks of the NFL Draft will be

WNBA Draft winners and losers: As you may have guessed, the Fever did pretty well. The Liberty? Perhaps not

Everyone's still talking about the 'SNL' Beavis and Butt-Head sketch. Cast members and experts explain why it's an instant classic.

Report: Jets trading QB Zach Wilson to Broncos

NFL mock draft 2024: With one major trade-up, it's a QB party in the top 5

Dave McCarty, player on 2004 Red Sox championship team, dies 1 week after team's reunion

Chiefs make Andy Reid NFL's highest-paid coach, sign president Mark Donovan, GM Brett Veach to extensions

Yankees' Nestor Cortés told by MLB his pump-fake pitch is illegal

Here’s when people think old age begins — and why experts think it’s starting later

Ryan Garcia drops Devin Haney 3 times en route to stunning upset

Arch Manning dominates in the Texas spring game, and Jaden Rashada enters the transfer portal

The new Ford Mustang's V8 is available as a crate engine

Lions' new uniforms get leaked early, and they find some humor in it

Yankees manager Aaron Boone ejected after fan mouths off to home plate umpire

Robert Kraft reportedly warned Falcons owner Arthur Blank not to trust Bill Belichick during head coach interviews

Pass or Fail: Broncos release 'Mile High Collection,' first new uniforms in over 25 years

Arch Manning puts on a show in Texas' spring game, throwing for 3 touchdowns

NBA Playoffs: Lillard sinks the Pacers, Celtics-Heat controversy, plus injury concerns for Kawhi & Embiid

Tom Brady will be mercilessly mocked in Netflix's 'Greatest Roast of All Time' comedy special