Google (Nasdaq: GOOG), Facebook and other big tech companies are jointly designing a system for combating email scams known as phishing.
Such scams try to trick people into giving away passwords and other personal information by sending emails that look as if they come from a legitimate bank, retailer or other business. When Bank of America customers see emails that appear to come from the bank, they might click on a link that takes them to a fake site mimicking the real Bank of America’s. There, they might enter personal details, which scam artists can capture and use for fraud.
To combat that, 15 major technology and financial companies have formed an organization to design a system for authenticating emails from legitimate senders and weeding out fakes. The new system is called DMARC — short for Domain-based Message Authentication, Reporting and Conformance.
DMARC builds upon existing techniques used to combat spam. Those techniques are designed to verify that an email actually came from the sender in question. The problem is there are multiple approaches for doing that and no standard way of dealing with emails believed to be fake.
The new system addresses that by asking email senders and the companies that provide email services to share information about the email messages they send and receive. In addition to authenticating their legitimate emails using the existing systems, companies can receive alerts from email providers every time their domain name is used in a fake message. They can then ask the email providers to move such messages to spam folder or block them outright.
“At a high level,” the group says, “DMARC is designed to satisfy the following requirements:”
- Minimize false positives.
- Provide robust authentication reporting.
- Assert sender policy at receivers.
- Reduce successful phishing delivery.
- Work at Internet scale.
- Minimize complexity.
According to Google, about 15 percent of non-spam messages in Gmail come from domains that are protected by DMARC. This means Gmail users “don’t need to worry about spoofed messages from these senders,” Adam Dawes, a product manager at Google, said in a blog post.
“With DMARC, large email senders can ensure that the email they send is being recognized by mail providers like Gmail as legitimate, as well as set policies so that mail providers can reject messages that try to spoof the senders’ addresses,” Dawes wrote.
Some key points from DMARC:
- Why is DMARC Important?
“With the rise of the social internet and the ubiquity of e-commerce, spammers and phishers have a tremendous financial incentive to compromise user accounts, enabling theft of passwords, bank accounts, credit cards, and more. Email is easy to spoof and criminals have found spoofing to be a proven way to exploit user trust of well-known brands. Simply inserting the logo of a well known brand into an email gives it instant legitimacy with many users.
“Users can’t tell a real message from a fake one, and large mailbox providers have to make very difficult (and frequently incorrect) choices about which messages to deliver and which ones might harm users. Senders remain largely unaware of problems with their authentication practices because there’s no scalable way for them to indicate they want feedback and where it should be sent. Those attempting new SPF and DKIM deployment proceed very slowly and cautiously because the lack of feedback also means they have no good way to monitor progress and debug problems.
“DMARC addresses these issues, helping email senders and receivers work together to better secure emails, protecting users and brands from painfully costly abuse.”
- How Does DMARC Work?
“A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.”
- Who Can Use DMARC?
“DMARC policies are published in the public Domain Name System (DNS), and available to everyone. It is the goal of DMARC.org to submit the draft specification to the IETF so that it may begin the process of becoming an official Internet Standard RFC – available to everyone for reference, implementation, and improvement.”
Work on DMARC started about 18 months ago. Beginning Monday, other companies can sign up with the organization, whether they send emails or provide email services. For email users, the group hopes DMARC will mean fewer fraudulent messages and scams reaching their inbox.
The group’s founders are email providers Microsoft Corp. (Nasdaq: MSFT), Yahoo Inc. (Nasdaq: YHOO), AOL Inc. and Google; financial service providers Bank of America Corp., Fidelity Investments and eBay Inc.’s PayPal; online service companies Facebook, LinkedIn Corp. and American Greetings Corp. and security companies Agari, Cloudmark, eCert, Return Path and the Trusted Domain Project.
Google uses it already, both in its email sender and email provider capacities. The heft of the companies that have already signed on to the project certainly helps, and its founders are hoping it will be more broadly adopted to become an industry standard.
Get the latest news alerts: Follow WRAL Tech Wire at Twitter.