A new way to net phish

Share this article:

Some 300 billion emails circulate each day, but they still can't escape a fundamental flaw – that users who receive these messages can't be certain who sent them. This underlying weakness has led to phishing and spam being persistent threats on the web for many years.

But the age-old quest for accountability in digital communication has a new champion: Domain-Based Message Authentication, Reporting and Conformance (DMARC), a new specification whose creators hope soon will be adopted by the Internet Engineering Task Force (IETF).

DMARC has a few things working in its favor that past authentication attempts didn't. For one, it is not a standalone protocol, but one that works in concert with popular security methods already adopted: DomainKeys Identified Mail (DKIM), a technique that associates a domain name to an email message, and Sender Policy Framework (SPF), which detects spoofing.

“DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms,” according to the group. “This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo and any other email receiver implementing DMARC.”

Second, DMARC has some muscle behind it. Not only are the major email providers behind the system, but so are some of the most digitally abused brands, such as PayPal. And third, DMARC gets away from the traditional approach of blacklisting. “DMARC gives us an ability not just to guess if that message is good or bad, but to actually know whether it came from a legitimate organization,” said Patrick Peterson, founding member of DMARC and CEO of email security firm Agari.

DMARC uses DKIM and SPF to vet, at the domain level, the trustworthiness of emails. Email providers can then, through their own policy and through user preferences, get as granular as they wish. That may mean simply monitoring unauthenticated messages all the way to outright blocking them.

The specification also allows senders to publicize their email handling practices, while receivers can offer feedback.

Critics of DMARC argue that as long as people are involved in the process, users still will fall for phishing and spam.

“Humans don't work the way technology works, they work the way humans work,” said Joseph Steinberg, CEO at Green Armor Solutions, an authentication vendor.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in Features

Transparency reports useful, but more info needed on 'digital searches'

Transparency reports useful, but more info needed on ...

Transparency reports are common these days, but the information they provide can still be difficult to read and understand.

Same battle, different field

Same battle, different field

Cyberwarfare is so new that the ground rules are still being established. Nazan Osman provides an overview.

Passwords are passé

Passwords are passé

New solutions are gaining traction to complement, or replace, the legacy use of username and password, reports Ashley Carman.