An authentication system is being developed to thwart phishing emails, with fifteen companies, including Google, Facebook, Microsoft, PayPal, and Yahoo, announcing their support for the standard. Called DMARC (Domain-based Message Authentication, Reporting, and Conformance), the system will be able to verify for users whether potential phishing emails have actually been sent by legitimate companies, and not those looking to steal passwords, credit card details, and other sensitive information.
Developed in loose collaboration across the participating companies, the DMARC specification is hoped to help reduce the threat of email phishing and improve coordination between email providers and email sender domain owners. Major contributors include email providers - AOL, Gmail, Hotmail, Yahoo! Mail; financial institutions and service providers - Bank of America, Fidelity Investments, PayPal; social media properties - American Greetings, Facebook, LinkedIn; and email security solutions providers - Agari, Cloudmark, eCert, Return Path, and Trusted Domain Project.
As most users can’t easily tell the difference between an authentic message and phishing scam, email providers and service providers will ensure the checking happens efficiently at their end, with the ultimate aim of the DMARC alliance (DMARC.org) and its adoption to ensure that users will only receive authentic, DMARC verified mails in their inbox.
The DMARC specification will standardize how DMARC-supporting email receivers will perform authentication, using SPF and DKIM mechanisms. Senders will then get consistent authentication results for their messages at DMARC-supporting receivers. DMARC thus aims to remove “guesswork from the receiver's handling of failed messages, limiting or eliminating the user's exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.”
DMARC can be used by everyone, and its policies have been published in the public Domain Name System (DNS). DMARC.org will also submit the specification to the IETF, a step on the way for it to become an Internet Standard RFC, open for implementation and improvement.