Anti-Phshing Technology DMARC Touts Achievements

A technology that’s been actively deployed for just over a year has been rapidly adopted across the globe by organizations wanting to ward off phishing attacks.

DMARC — Domain-based Message Authentication, Reporting & Conformance — is an email specification designed to work with two popular email authentication methods, SPF and DKIM.

The Sender Policy Framework (SPF) authenticates where an email originates by comparing its IP address to a list of valid IP addresses submitted by the domain owner to the Domain Name System. If a message arrives at a mail exchange saying it’s from a certain domain, but the IP address where it came from doesn’t correspond to the addresses in the SPF record for that domain, the message is bounced.

DomainKeys Identified Mail (DKIM) insures a message’s origin by attaching a cryptographic digital signature to it that associates a message to a domain. That signature can be reviewed at any point in the message’s path to its destination.

When it gets to its destination, the receiving system can determine what to do with the message based on the reputation of the signature’s owner. If the owner has a good reputation, it will probably deliver the message without a lot of hassle. If a reputation is tarnished, closer scrutiny of the message may be in order.

Neither SPF or DKIM are perfect at what they do but with DMARC, their effectiveness can be significantly increased. That’s why, since its introduction, the technology has been deployed to protect billions of mailboxes.

According to DMARC.org — the collaborative behind the technology which includes Google, Microsoft, AOL and Yahoo — almost two-thirds of all consumer mailboxes in the world — some 3.3 billion of them — are protected by DMARC.

“DMARC is a testimony to private sector and market-driven collaboration to combat a real problem on the Internet,” Trent Adams, chair of DMARC.org and senior policy advisor at PayPal, said in a statement.

Mailbox managers aren’t the only big players embracing DMARC. Large email senders have welcomed the technology, too. DMARC.org says that 10 of the top 20 domains belonging to the largest email senders have implemented DMARC.

DMARC-enabled mail providers and senders made a measurable impact on email volumes during the holiday season in 2012. Mailbox providers alone rejected 375 million email messages in November and December because they failed a DMARC authentication check.

One of the world’s largest senders of email on the Net — Facebook — has high praise for DMARC. According to Michael Adkins, messaging engineer for Facebook, the company has not only been able to reduce security staff needed to oversee its email operations.

“DMARC’s powerful controls protect over 85 percent of our users from fraudulent email that claims to be from Facebook, and that’s after just one year,” Adkins noted. “Add in the visibility and insight provided by DMARC’s reporting features and a very small team can have a huge impact on phishing.”

DMARC.org recommends that organizations interested in adopting the technology do so in small steps. The first step is to successfully deploy DKIM and SPF. Once that’s done, DMARC anti-phishing policies can be applied incrementally until the point is reached where email providers can be instructed to block all email exploiting the organization’s domain.

Written by John P Mello Jr

John Mello is a freelance writer who has written about business and technical subjects for more than 25 years. He is frequent contributor to the ECT News Network and his work has appeared in a number of periodicals, including Byte magazine, PC World, Computerworld, CIO magazine and the Boston Globe

4 Comments

  1. Matt · February 15, 2013

    DMARC looks really promising. It’s too early to know if it will make miracles in the battle against spam but the early reports are very encouraging. Let’s hope more webmasters will adopt it- this will make a difference and will increase its efficiency.

  2. Cesar Aguas · February 18, 2013

    I agree with you, Matt. It’s quite early for them to toot their horns, but let’s give credit to whom it is due, especially since the battle with spam has been happening for a very long time now with no definite indication on when it’s going to end. Hopefully with systems such as this in place, spammers will be having a hard time and continue losing money until such point they realize it is already such a futile business. We definitely need systems that are fast and easy to deploy by any webmaster. I’m crossing fingers this is the answer.

  3. Orlando · February 20, 2013

    I wonder how much this is going to cost and how easy this is going to be for business owners and IT administrators. I know that one of the reasons why there are still a lot of marketers and business owners who cannot fight off spam is because they don’t have the money for it. You definitely have to shell out a fortune if you want your systems protected, which is very sad. I should know because I run a program and maintain an IT ad. Let me tell you these two are not cheap, but I have no other choice.

  4. Noel P. · June 2, 2013

    @Orlando: Yes, I have to agree. If you want your systems to be totally protected, you have to be willing to spend some serious dollars. I guess what we should keep in mind, though, is that we’re investing on something that’ll keep us secure and safe for a long time. If we see it this way, I’m sure the expenses won’t weigh you down that much.

    @Matt: I agree. It’s still too early to tell if DMARC will create miracles. But at least our webmasters will now have something to use for the battle against spam. There’s always room for improvement, anyway.

Leave A Reply