The companies–including others such as financial-service enterprises Bank of America Corp., FMR LLC’s Fidelity Investments, eBay Inc.’s PayPal and Yahoo–are craving to create an environment that allows the recipient of an email from, say, a bank, to feel secure that it is not a trick.
This new alliance between tech giants, which is known as Domain-based Message Authentication, Reporting and Conformance, DMARC for short, and the objective of this sprawling association is to formulate new email standards that help stop the nefarious practice.
“One of the worst experiences for a user is being phished,” Adam Dawes, a Google product manager and DMARC representative, said in a statement. “The best way to protect them is to make sure the email never reaches the spam folder at all.”
Phishing is a fairly simple trick. Often, the spammer tricks the data in the email message so it really appears like it came from a legitimate source. There is usually a way to decipher where the message really came from, but it can be hard for the average Joe to spot.
Today, as Dawes explained, phishing messages are often caught by an email client’s spam filters. But even as they check out their spam folders, many users can not help but open on a message that says its from PayPal. Before they know it, someone has phished their credit card number. With DMARC, the idea is to get the email companies working behind the scenes to prevent phishing emails from ever hitting your inbox or spam folder.
Top box: What you see, normally. Bottom: What you should double check.
Brett McDowell, chair of DMARC and a senior manager at PayPal, mentions that senders also need policies that inform email providers how to treat messages that are not authenticated. That way, the email provider will be able to vouch for the authenticity of the real emails–and block fake ones or label them suspicious.
PayPal has been employing the authentication technologies with Yahoo’s email service since 2007 and with Google’s since 2008, McDowell says, and is now blocking around 200,000 fake emails per day. Besides, Dawes, said that 15% of the messages the company delivers to inboxes–a count that does not include spam and other junk emails–is currently protected with the authentication safeguards.
Such humongous volumes could be the reason that this effort to secure email can succeed where past ones have failed, representing a “critical mass” of key companies, says McDowell.
Some of the underlying technologies are already used widely in protecting email, relying on the equivalent of digital signatures that help identify a message’s sender. However, the DMARC protocols are based on existing technologies, including the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Both are common mail security protocols. SPF verifies the IP address of the email’s sender, while DKIM vets the structure of the email’s content, comparing it to encoded information coming from the sender.
Moreover, “Domain-based phishing cannot happen when both parties deploy DMARC,” he says.