Imagine a world where companies, governments, and individuals could send an email to anyone, and both the sender and receiver had a reasonable expectation that the communication therein was authentic. How would such lunacy change the dynamics of online messaging, end-user protection, and anti-fraud?
It's no secret that email as a global communications medium has become so polluted and mistrusted that companies and individuals are moving to other channels such as social media and mobile to regain the ability to have a "trusted" conversation. A recent study by the professional services company Towers Watson shows that 56% of employers are using social media as part of their overall internal communication strategy. This is creating a whole new set of risks and privacy concerns.
But contrary to popular opinion in some quarters, email is not dead. Email is the unsung hero of the global economy, the rusty workhorse that will likely be around forever. Facebook, Snapchat, Whatsapp, and other nominal email replacements are completely inadequate for personal B2C communication and sensitive P2P messaging, not to mention robust B2B communication. Email is worth saving and protecting.
Email authentication and encryption is not new. Many technologies exist to allow for encrypted email transport, such as TLS. Others exist to provide encrypted, authenticated email, like PGP and S/MIME. The most persistent problem with existing forms of one-to-one email authentication is that non-technically savvy individuals have to figure out how to make these systems work and keep them working. Try explaining the x.509 certificate expiration or revocation process to the normal email user. These systems have never really taken off, and many researchers are predicting the emergence of more user-friendly systems.
What if an Internet-scale, federated policy, authentication, and enforcement framework for trusted email delivery were available? What if the bones of this system were already deployed and supported by the biggest email receivers on the planet?
Enter a framework called DMARC
Domain-based Message Authentication, Reporting & Conformance (DMARC) is an emerging email delivery standard that has shown so much progress and potential that most of the email boxes in the world already support it -- even without an RFC number from the IETF. DMARC relies on two other standards, DKIM and SPF, to allow senders to sign their outbound email and announce authorized email servers per domain.
DMARC allows any email sender essentially to tell every receiver how to authenticate the email and what to do with unauthenticated mail. All this is done in a completely transparent way to the humans on either end. It does this by leveraging DKIM and SPF to create a transparent handshake between the email sender and the receiver via DMARC policy records presented as DNS TXT records. When an email received fails DKIM/SPF, it asks the sender what to do with this email. The sender's DMARC policy directs the receiver to do nothing, to quarantine the email, or to reject it.
Too good to be true?
Just like with any other sure thing, there are caveats. Deploying DMARC as a company is easy if you have a small number of domains and a small number of authorized email servers within a small number of domains. Things get more complicated as these numbers grow and third-party senders, consulting agencies, and others are added into the mix. Additionally, even though the top email receivers support DMARC, many others still do not. There are a few huge receivers (Google, Yahoo, Hotmail, etc.) supporting DMARC that support more than 3 billion mailboxes, but there are millions of other servers on a very long tail.
When/if fully deployed, DMARC allows for domain holders to protect their domains but not others. This will likely drive email spoofing of legitimate domains down dramatically. In its place, hackers will likely move further away from direct brand impersonation to other social engineering techniques, such as registering new domains (such as bankofamericapromotions.com). The good news is that these kinds of registrations are far easier to detect and stop.
While there is no doubt that the hackers will evolve and come up with new social engineering schemes and methods to continue to perpetrate phishing attacks, DMARC has remarkable promise. If and when it is fully standardized and deployed globally, it can fix a fundamental flaw in the technology that has underpinned the Internet from the very beginning.
Opportunities like this do not come along very often, and it is up to the security community at large to rally behind its adoption. Information security, online trust, and anti-fraud are all adversarial pursuits and, like American football, a game of inches. Any chance we get to complicate the efforts of our adversaries while simplifying ours -- making theirs more expensive and more time-consuming -- is a small victory in a long game.