A technology that’s been actively deployed for just over a year has been rapidly adopted across the globe by organizations wanting to ward off phishing attacks.
DMARC — Domain-based Message Authentication, Reporting & Conformance — is an email specification designed to work with two popular email authentication methods, SPF and DKIM.
The Sender Policy Framework (SPF) authenticates where an email originates by comparing its IP address to a list of valid IP addresses submitted by the domain owner to the Domain Name System. If a message arrives at a mail exchange saying it’s from a certain domain, but the IP address where it came from doesn’t correspond to the addresses in the SPF record for that domain, the message is bounced.
DomainKeys Identified Mail (DKIM) insures a message’s origin by attaching a cryptographic digital signature to it that associates a message to a domain. That signature can be reviewed at any point in the message’s path to its destination.
When it gets to its destination, the receiving system can determine what to do with the message based on the reputation of the signature’s owner. If the owner has a good reputation, it will probably deliver the message without a lot of hassle. If a reputation is tarnished, closer scrutiny of the message may be in order.
Neither SPF or DKIM are perfect at what they do but with DMARC, their effectiveness can be significantly increased. That’s why, since its introduction, the technology has been deployed to protect billions of mailboxes.
According to DMARC.org — the collaborative behind the technology which includes Google, Microsoft, AOL and Yahoo — almost two-thirds of all consumer mailboxes in the world — some 3.3 billion of them — are protected by DMARC.
“DMARC is a testimony to private sector and market-driven collaboration to combat a real problem on the Internet,” Trent Adams, chair of DMARC.org and senior policy advisor at PayPal, said in a statement.
Mailbox managers aren’t the only big players embracing DMARC. Large email senders have welcomed the technology, too. DMARC.org says that 10 of the top 20 domains belonging to the largest email senders have implemented DMARC.
DMARC-enabled mail providers and senders made a measurable impact on email volumes during the holiday season in 2012. Mailbox providers alone rejected 375 million email messages in November and December because they failed a DMARC authentication check.
One of the world’s largest senders of email on the Net — Facebook — has high praise for DMARC. According to Michael Adkins, messaging engineer for Facebook, the company has not only been able to reduce security staff needed to oversee its email operations.
“DMARC’s powerful controls protect over 85 percent of our users from fraudulent email that claims to be from Facebook, and that’s after just one year,” Adkins noted. “Add in the visibility and insight provided by DMARC’s reporting features and a very small team can have a huge impact on phishing.”
DMARC.org recommends that organizations interested in adopting the technology do so in small steps. The first step is to successfully deploy DKIM and SPF. Once that’s done, DMARC anti-phishing policies can be applied incrementally until the point is reached where email providers can be instructed to block all email exploiting the organization’s domain.