Web giants Microsoft, Facebook, Google and Yahoo have formed the technical working group, Domain-based Message Authentication, Reporting and Conformance (DMARC). This new coalition will fight against email spam and phishing attacks.
Tired of receiving email after email offering you Viagara at a low price or scammers pretending to be your bank and asking for your private information because it is conducting account updates? Well, so are the giants of the Internet and financial institutions.
Internet firms Google, PayPal, Microsoft, Yahoo, Facebook, LinkedIn, AOL and others will collaborate with financial institutions, like Bank of America and Fidelity Investments, to create an alternative approach to fight against email spam, online scams and phishing attacks.
The faction announced the formation of DMARC.org, the Domain-based Message Authentication, Reporting and Conformance (DMARC). This new group says it can stop the aforementioned attacks through policy-based steps to filter out spam.
This would be done by utilizing two authentication technologies, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), which are hardly adopted – PayPal is one company that uses both SPF and DKIM to fight phishing.
“A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes - such as junk or reject the message,” the website states.
“DMARC removes guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.”
For example, if an email provider, such as Yahoo or Hotmail, receives an email claiming to come from PayPal but does not pass with SPF or DKIM then it is not delivered to the intended recipient. Unfortunately, if spoofed PayPal emails get sent to other email providers then it will indeed be sent.
“DMARC is designed to fit into an organization's existing inbound email authentication process. The way it works is to help email receives determine if the purported message "aligns" with what the receiver knows about the sender,” writes DMARC.org.
“If not, DMARC includes guidance on how to handle the "non-aligned" messages. For example, assuming that a receiver deploys SPF and DKIM, plus its own spam filters.”
Despite this approach, industry experts suggest that the leading innovators should evolve the system because eventually scammers and cyber criminals will learn how to thwart the DMARC filters.