Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:19 PM
Connect Directly

Google, Facebook, Bank Of America Behind New Email Security Standard

New specification for preventing phishing and email domain abuse likely to help email security, but will enterprises adopt it?

Google, Microsoft, Facebook, the Bank of America, and PayPal are among a group of 15 companies that have banded together to help fill a major security gap in email, today releasing a specification for curbing phishing and other abuses of legitimate email domains.

The new Domain-based Message Authentication, Reporting and Conformance (DMARC) is a framework for protecting email at the domain level so fraudsters can't spoof a legitimate email sender's account or domain for phishing or other nefarious purposes.

Some of the most devastating data breaches have begun with an eerily convincing spoofed email address used to fool an unwitting employee into opening a document or following a link. But members of the DMARC working group say their goal is to create Internet standards that provide better coordination and cooperation between email providers and the owners of an email domain.

Patrick Peterson, a founding member of the DMARC organization as well as CEO of email security vendor Agari, says the public launch of the specification is "one of the most important days" in email security. "The insecure email channel is a criminal's best friend," Peterson says. "The state of [email] security in the last 10 years has been pretty damn crappy."

Agari and email security providers Cloudmark, eCert, Return Path, and the Trusted Domain Project are working with email service providers AOL, Google's Gmail, Microsoft Hotmail, and Yahoo! Mail, and Bank of America, Fidelity Investments, PayPal, American Greetings, Facebook, and LinkedIn in the working group. The group says its domain-level email approach is a first for setting up "defensible" email channels between senders and end users.

Google Gmail, Facebook, LinkedIn, and PayPal all are currently using DMARC to protect their email domains from being spoofed and ultimately targeting unsuspecting users and organizations. Google says about 15 percent of non-spam messages in Gmail are from DMARC-protected domains.

"We’ve been active in the leadership of the DMARC group for almost two years, and now that Gmail and several other large mail senders and providers — namely Facebook, LinkedIn, and PayPal — are actively using the DMARC specification, the road is paved for more members of the email ecosystem to start getting a handle on phishing," said Adam Dawes, product manager at Google, in a blog post yesterday.

But it's unclear whether enterprises will clamor for it, says Chester Wisniewski, a senior security adviser for Sophos. "The real issue is that most IT email managers will not want to bother with configuring all of their systems to comply with YAP -- Yet Another Proposal -- when they haven’t even began using SPF or DKIM on a large scale," Wisniewski says.

[More than 60 percent of users don't know how their Gmail, Yahoo, Hotmail, and Facebook accounts were hacked. See Users Whose Accounts Get Hacked Find Out From Their Friends.]

DMARC basically picks up where existing email authentication standards leave off. It provides a standard for how email receivers deploy the email authentication standard Sender Policy Framework (SPF), which validates email by verifying the sender's IP address. Email administrators basically specify which hosts can send email from their domains, and DomainKeys Identified Mail (DKIM), which uses reputation of an organization to verify trust for a message, using cryptographic authentication.

But SPF and DKIM fell a bit short when it came to visibility of email domain abuse. "Today there are great technologies like SPF and DKIM. We can publish a record with SPF and sign it with DKIM ... then send it out to the ether. People have to pray to the email gods and hope the postmaster will know if something was broken," Agari's Peterson says. "There was no way to get global visibility on how a domain name was being misused."

That's what DMARC does, as well as let the domain owner control who can use the domain. "DMARC lets us register mail, authenticate it," and confirm that it's not spoofed, he says. "It used to be up to someone else to figure out spoofing."

An email domain owner can set policies for its email provider to block unauthenticated emails, and the email provider can send domain owners reports that illustrate how its authentication process is working or not working, for instance.

Google's Dawes says DMARC will ensure that email senders consistently get their messages authenticated on AOL, Gmail, Hotmail, Yahoo!, and any other email receivers that deploy DMARC. "We hope this will encourage senders to more broadly authenticate their outbound email, which can make email a more reliable way to communicate," he says.

Email security vendors likely will offer "push-button," cloud-based DMARC services for enterprises, says Agari's Peterson. And those who are already customers of the DMARC founders, such as Agari, already are getting DMARC authentication, he says.

So what happens if DMARC starts making a big dent on phishing attacks? "The bad guys will realize they can't impersonate certain brands any longer," Peterson says. "They will focus on finding unprotected brands."

Phishers also may opt to use domains similar to ones that use DMARC. "If I want to phish someone for their Paypal credentials, I might just forge it to be from paypalsecurity.com or some other similar domain that is not signed or owned by the company I am posing as," Sophos' Wisniewski says.

The DMARC working group plans to deliver its specification to the Internet Engineering Task Force (IETF) for its blessing as a standard for the Internet community.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/14/2012 | 4:34:14 AM
re: Google, Facebook, Bank Of America Behind New Email Security Standard
You +1'd this publicly.-Undo
The new standard aims to protect email at the domain level so criminals can't GǣspoofGǥ a legitimate email account or domain name for phishing
User Rank: Ninja
2/1/2012 | 12:24:20 PM
re: Google, Facebook, Bank Of America Behind New Email Security Standard
authentication is not, nor ever will be, something that someone does for you: that leaves a means by which a scamster can manipulate the mechanism.

manipulate the mechanism

that is how the scamster always works: he will evaluate: how does this mechanism work?

Phil Zimmerman's essay on PGP should always remain required reading for those who wish to work with digital signatures and authentication.

for one thing: you cannot begin any discussion of security or authentication until after you have verified your endpoint is free of malware. - the process has to start with software inventory audit and maintenance locking. these are necessary to provides a Commercial Certification for an endpoint.

after that's done we can start discussing authentication.

-and remember: authentication the corporation is just as important as authenticating the customer.- many corporate thinkers only focus on "the other end" of the link and don't check themselves first.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Heap buffer overflow in TabStrip in Google Chrome on Windows prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.