Today begins a coordinated effort by fifteen of the leading email service and technology providers including AOL, Bank of America, Facebook, Google, LinkedIn, Fidelity Investments, Microsoft, PayPal and Yahoo to reduce phishing emails and spam.
According to a press release by DMARC.org (DMARC stands for Domain-based Message Authentication, Reporting & Conformance), this group of companies and others has been working on developing an email authentication technical framework standard based on the Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) standards for the past 18 months.
The press release states that:
"The DMARC specification addresses concerns that have traditionally hindered widespread deployment of an authenticated, trusted email ecosystem. Today, email receivers lack a reliable way to know the extent to which an email sender uses standards like SPF and DKIM for authenticating their messages. As a result, providers must rely on complex and imperfect measurements to separate legitimate unauthenticated messages sent by the domain owner from fraudulent phishing messages sent by a scammer."
"By introducing a standards-based framework, DMARC has defined a more comprehensive and integrated way for email senders to introduce email authentication technologies into their infrastructure. For example, a sender could set policies to easily request a provider to discard unauthenticated email in order to block phishing attacks. The specification also creates a mechanism for email providers to send detailed reports back to email senders to help catch any gaps in the authentication system. This feedback loop raises the trust level within the email ecosystem and makes it easier to detect and stop phishing attempts."
By using the DMARC standard, a company could send an email to a customer with a link embedded within it, and the customer could actually trust that clicking on the link won't send them to some malware site. Currently, companies—especially banks such as Bank of America —tell customers that they don't send emails with such embedded links, and to never click on them.
The press release goes on to say that DMARC intends to send its authentication framework standard to Internet Engineering Task Force (IETF) for standardization after further field testing.
DMARC.org obviously hopes that other email senders will sign up to the standard, which will make it increasingly hard for phishers and spammers to operate. However, it will take a while before a critical mass is reached, and it may take some time for email recipients to begin trusting links in company emails even if the DMARC standard takes off. I, for one, will still be highly suspicious of any email I get from a company telling me to click on a link, DMARC standard or not.
The WSJ story also points out that even if every email sender were to follow the standard, it won't totally eliminate email fraud. However, "it will mean that scammers [will] need to find new addresses with which to launch their attacks. Instead of crafting an email that looks like it comes from paypal.com, for instance, it would need to come from 'paypalpayments.com' or some other fake site."
Forcing spammers and phishers in that direction will also make it easier for search engines to detect them as well. However, I suspect what will also happen is that spammers and phishers will start using the good old-fashion telephone more to try to find victims.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.