Google, Microsoft, Facebook, the Bank of America, and PayPal are among a group of 15 companies that have banded together to help fill a major security gap in email, today releasing a specification for curbing phishing and other abuses of legitimate email domains.

The new Domain-based Message Authentication, Reporting and Conformance (DMARC) is a framework for protecting email at the domain level so fraudsters can't spoof a legitimate email sender's account or domain for phishing or other nefarious purposes.

Some of the most devastating data breaches have begun with an eerily convincing spoofed email address used to fool an unwitting employee into opening a document or following a link. But members of the DMARC working group say their goal is to create Internet standards that provide better coordination and cooperation between email providers and the owners of an email domain.

Patrick Peterson, a founding member of the DMARC organization as well as CEO of email security vendor Agari, says the public launch of the specification is "one of the most important days" in email security. "The insecure email channel is a criminal's best friend," Peterson says. "The state of [email] security in the last 10 years has been pretty damn crappy."

Agari and email security providers Cloudmark, eCert, Return Path, and the Trusted Domain Project are working with email service providers AOL, Google's Gmail, Microsoft Hotmail, and Yahoo! Mail, and Bank of America, Fidelity Investments, PayPal, American Greetings, Facebook, and LinkedIn in the working group. The group says its domain-level email approach is a first for setting up "defensible" email channels between senders and end users.

Google Gmail, Facebook, LinkedIn, and PayPal all are currently using DMARC to protect their email domains from being spoofed and ultimately targeting unsuspecting users and organizations. Google says about 15 percent of non-spam messages in Gmail are from DMARC-protected domains.

"We’ve been active in the leadership of the DMARC group for almost two years, and now that Gmail and several other large mail senders and providers — namely Facebook, LinkedIn, and PayPal — are actively using the DMARC specification, the road is paved for more members of the email ecosystem to start getting a handle on phishing," said Adam Dawes, product manager at Google, in a blog post yesterday.

But it's unclear whether enterprises will clamor for it, says Chester Wisniewski, a senior security adviser for Sophos. "The real issue is that most IT email managers will not want to bother with configuring all of their systems to comply with YAP -- Yet Another Proposal -- when they haven’t even began using SPF or DKIM on a large scale," Wisniewski says.

[More than 60 percent of users don't know how their Gmail, Yahoo, Hotmail, and Facebook accounts were hacked. See Users Whose Accounts Get Hacked Find Out From Their Friends.]

DMARC basically picks up where existing email authentication standards leave off. It provides a standard for how email receivers deploy the email authentication standard Sender Policy Framework (SPF), which validates email by verifying the sender's IP address. Email administrators basically specify which hosts can send email from their domains, and DomainKeys Identified Mail (DKIM), which uses reputation of an organization to verify trust for a message, using cryptographic authentication.

But SPF and DKIM fell a bit short when it came to visibility of email domain abuse. "Today there are great technologies like SPF and DKIM. We can publish a record with SPF and sign it with DKIM ... then send it out to the ether. People have to pray to the email gods and hope the postmaster will know if something was broken," Agari's Peterson says. "There was no way to get global visibility on how a domain name was being misused."

That's what DMARC does, as well as let the domain owner control who can use the domain. "DMARC lets us register mail, authenticate it," and confirm that it's not spoofed, he says. "It used to be up to someone else to figure out spoofing."

An email domain owner can set policies for its email provider to block unauthenticated emails, and the email provider can send domain owners reports that illustrate how its authentication process is working or not working, for instance.

Google's Dawes says DMARC will ensure that email senders consistently get their messages authenticated on AOL, Gmail, Hotmail, Yahoo!, and any other email receivers that deploy DMARC. "We hope this will encourage senders to more broadly authenticate their outbound email, which can make email a more reliable way to communicate," he says.

Email security vendors likely will offer "push-button," cloud-based DMARC services for enterprises, says Agari's Peterson. And those who are already customers of the DMARC founders, such as Agari, already are getting DMARC authentication, he says.

So what happens if DMARC starts making a big dent on phishing attacks? "The bad guys will realize they can't impersonate certain brands any longer," Peterson says. "They will focus on finding unprotected brands."

Phishers also may opt to use domains similar to ones that use DMARC. "If I want to phish someone for their Paypal credentials, I might just forge it to be from paypalsecurity.com or some other similar domain that is not signed or owned by the company I am posing as," Sophos' Wisniewski says.

The DMARC working group plans to deliver its specification to the Internet Engineering Task Force (IETF) for its blessing as a standard for the Internet community.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.