Companies will soon have a new weapon in the ongoing war against phishing and spam. On Monday, a group of leading e-mail and technology companies announced a proposed new standard to make it more difficult for fraudulent and other unwanted e-mail to get through.
The companies have formed DMARC.org, a technical working group based in San Jose, California. DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, builds on a year-and-a-half of collaborative effort that has created a draft specification.
Participating e-mail providers include AOL, Gmail, Hotmail, and Yahoo. Other members include Bank of America, Fidelity Investments, PayPal, Facebook, LinkedIn, Cloudmark, eCert, and Return Path.
The organization noted that e-mail systems currently lack a reliable way to tell if an e-mail sender uses standards like Sending Policy Framework, or SPF, and DomainKeys Identified Mail, or DKIM, to authenticate messages. As a result, the group noted that "complex and imperfect measures to separate legitimate unauthenticated messages" from fraudulent messages are currently used.
SPF and DKIM were created more than 10 years ago to help authenticate an e-mail sender's identity . But full implementation of those authentication technologies has been hampered by several factors. DMARC does not directly determine if an e-mail is fraudulent, but whether it aligns to the fraud detection configuration -- such as SPF or DKIM -- or not. It is designed to replace the ADSP, or Author Domain Signing Practices, an optional extension to DKIM.
Pioneered by PayPal
DMARC intends to provide a more comprehensive and integrated way to integrate authentication technologies into e-mail systems. Once data and input from the field has been gathered, DMARC.org will submit its revised spec to the Internet Engineering Task Force for acceptance as a standard.
Under DMARC's approach, a sender can show that their e-mails are protected by SPF or DKIM, and it informs the receiver the best way to proceed if neither of those authentication methods are validated. DMARC also offers a procedure for the e-mail receiver to inform the sender about whether messages passed or failed.
Many e-mail senders have complex e-mail systems, sometimes including third-party providers, and authentication processes in these frequently changing systems can be difficult to implement.
Some legitimate e-mail senders send messages that can be authenticated, as well as other e-mails that cannot be. Senders get poor feedback on what has been authenticated, plus many e-mail receivers are reluctant to reject unauthenticated messages because they may include legitimate messages. The solution, said DMARC, is systematically sharing information between receivers and senders.
The group said that PayPal pioneered this approach in 2007, working with Yahoo and Gmail, and the results were "extremely effective."
Spam, Phishing Costly
Charles King, an analyst with Pund-IT, said that spam and phishing e-mail, besides being annoying to users, can be "very costly" to e-mail service providers because of the huge volumes involved.
He said that businesses will likely be "open to this new approach," but the degree to which companies might benefit from increased efficiency depends "to some extent" on the degree to which they handle their own e-mail service, or whether they farm out some or all of it.
Posted: 2012-01-30 @ 4:08pm PT
Great! I can't wait until someone can stop the madness. I hate spam and phishing and anything that people do to try and destroy the Internet.