Leading names in technology announce the Dmarc email standard

A GAGGLE of information technology firms including Microsoft, Google, Paypal, Yahoo and Facebook have joined forces to create an anti-phishing standard for email called Demarc.

Fifteen firms have formed a working group and created dmarc.org, which stands for "domain-based message authentication, reporting and conformance". The group's aim is to counter the threat of email phishing attacks and spam.

"Email phishing defrauds millions of people and companies every year, resulting in a loss of consumer confidence in email and the Internet as a whole," said Brett McDowell, chair of dmarc.org and senior manager of customer security initiatives at Paypal. "Industry cooperation - combined with technology and consumer education - is crucial to fight phishing."

As well as the big names mentioned already the remaining 10 consist of AOL, Bank of America, Fidelity Investments, American Greetings, Linkedin, Agari, Cloudmark, Ecert, Return Path and Trusted Domain Project.

The system produces a common way for senders to authenticate their emails with customers using the sender policy framework (SPF) and domain keys identified mail (DKIM) methods.

Dmarc said the system "removes guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent & harmful messages." It also provides a way for the receiver to report back to the sender about emails that pass or fail the Dmarc evaluation.

Spam and phishing are big problems at the moment, especially in the UK. Symantec's January intelligence report pointed out that most phishing attacks come from the UK and that one in 179 emails contained a phishing attack.

Dmarc's policies are published in the public Domain Name System (DNS) community and its goal is to make the system an official internet standard.

Update
We asked Symantec what its opinion was on the subject. Paul Wood, senior intelligence analyst at Symantec said, "This can only been seen as a positive step forward, especially when you factor in that our January Symantec Intelligence Report identified that one in every 179 emails contains a phishing attack."

"In the past, mail filtering systems such as Sender Policy Frameworks (SPF) have only let senders set up information that determines the validity of their emails to prove that they're from genuine servers. What they've lacked however is the ability to govern what the receiver actually does with the messages when they receive them. There hasn't been a feedback loop in place and vitally, Dmarc is trying to plug this gap."

We also asked if it thought Dmarc would be successful. "As with most technology, its success is down to adoption and whether people want to use it, but in this case, you have a number of big names collaborating and raising awareness. Businesses who adopt quickly are likely to be more protected against the threat of spoofing, which allows them to offer their customers additional security," said Wood. µ