DMARC.org: A Giant Step Forward in the Fight Against Phishing

We are very excited today to announce our participation in the founding of DMARC.org (Domain-based Message Authentication, Reporting and Conformance), a working group aimed at stopping email-borne security threats through authentication. The working group, which is launching publicly today, is a coalition of 15 companies dedicated to this mission, including AOL, Google, Microsoft and Yahoo!

I know what you might be thinking – hasn’t that been done before? Wasn’t that the point of SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail)?

SPF and DKIM both give senders of email a way to identify themselves as the legitimate owner of a domain. And they give receivers a way to see if a given message is identified as being sent from the owner of the purported domain. What neither of them does is give senders and receivers a mechanism to communicate with each other about what to do with messages that are not authenticated. With no way for the senders and receivers to communicate there was no way to block bad email, which has led to the continued high levels of email-borne phishing attacks.

The genesis of DMARC was actually a private partnership between PayPal and Yahoo! and Google. They worked together in 2007 and 2008, respectively, to create a communication channel that would allow Google and Yahoo! to block all email purporting to be from a PayPal domain. It had a huge positive impact. At one point they were blocking, on average, 200,000 phishing messages a day.

The DMARC specification creates a scalable communication channel between every sender and every receiver and has the power to substantially reduce the damage of phishing – for end users that are subject to these attacks and to the senders whose brand is on the line. We think this specification is extremely timely as our data increasingly shows that phishing continues to move beyond the usual targets of banking and financial services and into any brand that has a high enough profile to trick consumers into clicking on malicious links.

The great news is that any brand can take advantage of DMARC today. Use our free DMARC record creator and you can begin receiving reports from Google immediately.

And Return Path’s anti-phishing solution, Domain Assurance, is already configured to accept and parse DMARC reports. We take the raw data from ISPs that support DMARC and provide intelligence, built-in logic and sophisticated alerting. This analysis enables our customers to not only better understand their email streams and which emails are not authenticating, but also details where phishing traffic is coming from, what the potential impact is upon the company’s brand, and empowers companies to make informed policy statements to block future phishing attacks with confidence.

Ready to learn more? Return Path has set up a page where you can create your DMARC record and you can sign up for our free DMARC assessment program.

Meanwhile, check out the DMARC.org website where you can view the specification, read the FAQ, sign and sign up for the discussion list.