Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:19 PM
Connect Directly

Google, Facebook, Bank Of America Behind New Email Security Standard

New specification for preventing phishing and email domain abuse likely to help email security, but will enterprises adopt it?

Google, Microsoft, Facebook, the Bank of America, and PayPal are among a group of 15 companies that have banded together to help fill a major security gap in email, today releasing a specification for curbing phishing and other abuses of legitimate email domains.

The new Domain-based Message Authentication, Reporting and Conformance (DMARC) is a framework for protecting email at the domain level so fraudsters can't spoof a legitimate email sender's account or domain for phishing or other nefarious purposes.

Some of the most devastating data breaches have begun with an eerily convincing spoofed email address used to fool an unwitting employee into opening a document or following a link. But members of the DMARC working group say their goal is to create Internet standards that provide better coordination and cooperation between email providers and the owners of an email domain.

Patrick Peterson, a founding member of the DMARC organization as well as CEO of email security vendor Agari, says the public launch of the specification is "one of the most important days" in email security. "The insecure email channel is a criminal's best friend," Peterson says. "The state of [email] security in the last 10 years has been pretty damn crappy."

Agari and email security providers Cloudmark, eCert, Return Path, and the Trusted Domain Project are working with email service providers AOL, Google's Gmail, Microsoft Hotmail, and Yahoo! Mail, and Bank of America, Fidelity Investments, PayPal, American Greetings, Facebook, and LinkedIn in the working group. The group says its domain-level email approach is a first for setting up "defensible" email channels between senders and end users.

Google Gmail, Facebook, LinkedIn, and PayPal all are currently using DMARC to protect their email domains from being spoofed and ultimately targeting unsuspecting users and organizations. Google says about 15 percent of non-spam messages in Gmail are from DMARC-protected domains.

"We’ve been active in the leadership of the DMARC group for almost two years, and now that Gmail and several other large mail senders and providers — namely Facebook, LinkedIn, and PayPal — are actively using the DMARC specification, the road is paved for more members of the email ecosystem to start getting a handle on phishing," said Adam Dawes, product manager at Google, in a blog post yesterday.

But it's unclear whether enterprises will clamor for it, says Chester Wisniewski, a senior security adviser for Sophos. "The real issue is that most IT email managers will not want to bother with configuring all of their systems to comply with YAP -- Yet Another Proposal -- when they haven’t even began using SPF or DKIM on a large scale," Wisniewski says.

[More than 60 percent of users don't know how their Gmail, Yahoo, Hotmail, and Facebook accounts were hacked. See Users Whose Accounts Get Hacked Find Out From Their Friends.]

DMARC basically picks up where existing email authentication standards leave off. It provides a standard for how email receivers deploy the email authentication standard Sender Policy Framework (SPF), which validates email by verifying the sender's IP address. Email administrators basically specify which hosts can send email from their domains, and DomainKeys Identified Mail (DKIM), which uses reputation of an organization to verify trust for a message, using cryptographic authentication.

But SPF and DKIM fell a bit short when it came to visibility of email domain abuse. "Today there are great technologies like SPF and DKIM. We can publish a record with SPF and sign it with DKIM ... then send it out to the ether. People have to pray to the email gods and hope the postmaster will know if something was broken," Agari's Peterson says. "There was no way to get global visibility on how a domain name was being misused."

That's what DMARC does, as well as let the domain owner control who can use the domain. "DMARC lets us register mail, authenticate it," and confirm that it's not spoofed, he says. "It used to be up to someone else to figure out spoofing."

An email domain owner can set policies for its email provider to block unauthenticated emails, and the email provider can send domain owners reports that illustrate how its authentication process is working or not working, for instance.

Google's Dawes says DMARC will ensure that email senders consistently get their messages authenticated on AOL, Gmail, Hotmail, Yahoo!, and any other email receivers that deploy DMARC. "We hope this will encourage senders to more broadly authenticate their outbound email, which can make email a more reliable way to communicate," he says.

Email security vendors likely will offer "push-button," cloud-based DMARC services for enterprises, says Agari's Peterson. And those who are already customers of the DMARC founders, such as Agari, already are getting DMARC authentication, he says.

So what happens if DMARC starts making a big dent on phishing attacks? "The bad guys will realize they can't impersonate certain brands any longer," Peterson says. "They will focus on finding unprotected brands."

Phishers also may opt to use domains similar to ones that use DMARC. "If I want to phish someone for their Paypal credentials, I might just forge it to be from paypalsecurity.com or some other similar domain that is not signed or owned by the company I am posing as," Sophos' Wisniewski says.

The DMARC working group plans to deliver its specification to the Internet Engineering Task Force (IETF) for its blessing as a standard for the Internet community.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/14/2012 | 4:34:14 AM
re: Google, Facebook, Bank Of America Behind New Email Security Standard
You +1'd this publicly.-Undo
The new standard aims to protect email at the domain level so criminals can't GǣspoofGǥ a legitimate email account or domain name for phishing
User Rank: Ninja
2/1/2012 | 12:24:20 PM
re: Google, Facebook, Bank Of America Behind New Email Security Standard
authentication is not, nor ever will be, something that someone does for you: that leaves a means by which a scamster can manipulate the mechanism.

manipulate the mechanism

that is how the scamster always works: he will evaluate: how does this mechanism work?

Phil Zimmerman's essay on PGP should always remain required reading for those who wish to work with digital signatures and authentication.

for one thing: you cannot begin any discussion of security or authentication until after you have verified your endpoint is free of malware. - the process has to start with software inventory audit and maintenance locking. these are necessary to provides a Commercial Certification for an endpoint.

after that's done we can start discussing authentication.

-and remember: authentication the corporation is just as important as authenticating the customer.- many corporate thinkers only focus on "the other end" of the link and don't check themselves first.
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-20
IBM Sterling B2B Integrator Standard Edition through and IBM Sterling File Gateway through are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially lea...
PUBLISHED: 2020-10-20
IBM Spectrum Scale 5.0.0 through is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188517.
PUBLISHED: 2020-10-20
IBM Spectrum Scale 5.0.0 through does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link ...
PUBLISHED: 2020-10-20
IBM Spectrum Scale 5.0.0 through is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188595.
PUBLISHED: 2020-10-20
IBM Spectrum Scale V4.2.0.0 through V4.2.3.23 and V5.0.0.0 through V5.0.5.2 as well as IBM Elastic Storage System 6.0.0 through could allow a local attacker to invoke a subset of ioctls on the device with invalid arguments that could crash the keneral and cause a denial of service. IBM X-For...