Can industry heavyweights Google, PayPal, Microsoft and AOL — along with 11 others in high-tech such as Facebook and LinkedIn, as well as the financial world’s Bank of America and Fidelity Investments — succeed in stopping phishing attacks right in their tracks? In uniting behind an effort called DMARC.org unveiled today, the group says it can through policy-based steps filter out spoofed email that attackers use for phishing.
Whether you are an enterprise or offering a consumer service, you can apply this policy now,” says Brett McDowell, senior manager of customer security initiatives at PayPal, who is chairman of the organization DMARC, which stands for “Domain-based Message Authentication, Reporting and Conformance.” The DMARC.org site today published guidelines and the specification for its technology, which makes use of the well-known standards Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), two basic approaches widely used today for authenticating email.
What DMARC adds is a policy-based framework of actions and reporting that email providers will follow to act on instructions from enterprise email managers to identify or even block spoofed mail exploiting any enterprise domain name. “We came together to produce a new standard, not a new technology,” says McDowell. “This leverages SPF and DKIM, and it puts an end to spoofing, the most common form of email abuse.”
Making use of the DMARC technology is as simple as asserting the protection policy that you, as the email manager, want enforced on behalf of your company, through a text record in DNS, says McDowell. According to the DMARC guidelines, these will include choices related to a domain name such as putting spoofed mail into a spam folder; throwing the spoofed mail away; or quarantining it. For those getting familiar with the whole DMARC concept, the decision could be made to simply ask for the identification of spoofed email without taking any other action. But DMARC backers say they have spent more than a year developing and testing the filtering technology, and that false positives are a rarity.
Reports about DMARC-based actions would be delivered in XML format for purposes of interoperability, and the report data would be about the domain name under care, in a bare-bones form that doesn’t include any email content, says McDowell. “It’s anonymized and aggregated,” says McDowell. He says DMARC is taking care to be mindful of privacy issues.
Enterprises may want to take a do-it-yourself approach to DMARC implementation. But there are now two services, Agari and Return Path, which participated in the DMARC effort, which are offering services to support it.
At a price said to start at a few thousand dollars per month, Agari, for example, would aggregate the XML-based files each day, which might be tens of megabytes of data, and analyze it for evidence of misuse of domain names. Agari CEO Patrick Peterson says the service can analyze DMARC data to answer, “What are the bad guys doing? Are they pretending to be you? Here is a bunch of mail purporting to be from you, but is it?” He notes there are instances where there is legitimate third-party use of your domain for email in contract arrangements.