informa
3 min read
article

Email Domain Protection Effort Gains Traction

Phishing and email domain abuse prevention specification DMARC marks year one with widespread adoption
An industry effort to protect corporate brands from email domain spoofing has been adopted by Google, Yahoo, AOL, and Microsoft, as well as major Russian and Chinese email providers in the past year, bringing the trusted email standard Domain-based Message Authentication, Reporting & Conformance (DMARC) to 60 percent of email users worldwide and 80 percent of U.S. consumers.

The year-old DMARC initiative, which was spearheaded by a group of 15 companies, including Google, Microsoft, Facebook, the Bank of America, and PayPal, aims to fill a major security gap in email with a specification for curbing phishing and other abuse of legitimate email domains. It basically establishes a standard way for email providers and email domain owners to catch and handle messages with spoofed domains.

Some of the most convincing phishing attacks originate from spoofed email domains of legit companies or organizations. Google, Facebook, AOL, Hotmail, PayPal, Yahoo, and LinkedIn are among the major players using DMARC to guard their email domains from spoofing, and Russia's mail.ru and China's NetEase all have deployed DMARC. Some 80 percent of consumer inboxes are protected by DMARC today, according to DMARC.org, which is nearly 2 billion email accounts worldwide.

Another stat released today by DMARC.org: More than 325 million emails were rejected using the technology in November and December 2012 alone because they didn't authenticate, and some 49 million of those messages came from "highly phished" domains.

Half of the top 20 email sender domains now publish a DMARC policy. About 60 percent of those domains are not DMARC.org members, and 70 percent of those domains include a policy for email receivers to take action against spoofed messages.

Trent Adams, chair of DMARC.org and PayPal's senior policy adviser for its ecosystems payment group, says DMARC is all about a community effort in quashing email abuse and threats. "We're really cognizant that DMARC is an ecosystem story: It's not just one sector needing to do something," Adams says. "It empowers email providers to take definitive action" against spoofed messages, as well, he says.

DMARC picks up where email authentication standards leave off. It provides a standard for how email receivers deploy the email authentication standard Sender Policy Framework (SPF), which validates email by verifying the sender's IP address. Email administrators basically specify which hosts can send email from their domains, and DomainKeys Identified Mail (DKIM), which uses the reputation of an organization to verify trust for a message, uses cryptographic authentication. DMARC lets the domain owner control who uses the domain via registration and authentication and detect and respond to abuse.

Facebook messaging engineer Michael Adkins says large and small domains from various vertical markets are adopting DMARC. "I've been working on email-related abuse issues for close to 10 years now. The standards, [such as] DKIM, sort of sit there and nothing happens," Adkins says. "But with DMARC, this is the end of a very long road for a lot of people in the industry. We're finally seeing everything click into place" with email security standards now, he says.

Aside from Bank of America, Facebook, Google, PayPal, and Hotmail, among the companies that use DMARC are Amazon, American Greetings, Apple, Bank of America, Blizzard Entertainment, Booking.com, eBay, Facebook, FedEx, Fidelity Investments, Google, Groupon, JP Morgan Chase, LinkedIn, LivingSocial, Netflix, PayPal, Tagged, Twitter, Western Union, Yelp, YouTube, and Zynga.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.