Google, Microsoft, PayPal, Facebook and other big names have announced a new anti-spam and phishing project, DMARC.org, creating a new system for email authentication that promises to learn from past attacks. “Domain-based Message Authentication, Reporting and Conformance” will use “a feedback loop between legitimate email senders and receivers to make impersonation more difficult” and, the companies hope, will eventually be adopted by the IETF as a standard.
“Email phishing defrauds millions of people and companies every year, resulting in a loss of consumer confidence in email and the Internet as a whole. Industry cooperation – combined with technology and consumer education – is crucial to fight phishing” Brett McDowell, Chair of DMARC.org and Senior Manager of Customer Security Initiatives at PayPal
According to DMARC, the widespread problems with spam and phishing today are the result of confusion and uncertainty between email providers over what security and authentication options are supported by both sender and recipient. Although existing options – such as SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) – can be used, there’s no way for providers to know if they’ve been implemented.
What DMARC has done, supposedly, is to integrate authentication more completely into their infrastructure. “A sender could set policies to easily request a provider to discard unauthenticated email in order to block phishing attacks” the group suggests; meanwhile, comprehensive reports are supplied to help spot any loopholes or gaps in the system.
Those taking part in the scheme are a mixture of email providers, security experts, social media firms and, not least, the banks and financial institutions that often have to pay up when credit card insurance claims are filed. AOL, Gmail, Hotmail, Yahoo! Mail, Bank of America, Fidelity Investments, PayPal, American Greetings, Facebook, LinkedIn, Agari, Cloudmark, eCert, Return Path and the Trusted Domain Project are all involved.