DMARC anti-phishing technology gains acceptance

A technology aimed at blunting phishing attacks on organizations appears to be finally gaining steam a year after its introduction.

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a security framework that offers a way to identify phishing messages by standardizing how email receivers perform email authentication.

Although only a year old, the technology is already protecting 60% of the email boxes in the world -- and 80% of email boxes in the United States, according to Agari, an email security company. Agari was one of the founding companies behind DMARC, along with Google, Microsoft, Facebook, Bank of America and JP Morgan Chase.

As with any new technology, particularly something that affects email, acceptance can be a hurdle. But it's one DMARC is poised to leap over, according to Agari founder and CEO Patrick Peterson.

"We are at escape velocity," he said in an interview. "When we started, people said they thought it was an interesting idea, but wondered if it was going to be one of these things you hear about and nothing ever comes of it. That's not going to happen."

[See also: Yahoo implements latest antispam defense]

In addition to making significant inroads with mailbox providers, DMARC has gained acceptance among email senders, said Trent Adams, chairman of and senior policy advisor at PayPal.

Half of the top 20 email senders have implemented DMARC, he said. "That may not sound like a lot, but if you look at it by volume, the vast, vast majority of email sent over the wire is by the top 20 senders," Adams said.

Another sign that DMARC is gaining traction is the number of Internet domains that have adopted the technology in the last year, even though they weren't among the core supporters of the framework. That group includes 60% of top 20 domains now using DMARC. "That shows adoption beyond the group of folks that came into this knowing this was a good solution," Adams said.

When DMARC was introduced, it was seen as a bridge between two competing email authentication schemes -- Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

SPF authenticates where an email originates by comparing its IP address to a list of valid IP addresses submitted by the domain owner to the Domain Name System. If a message arrives at a mail exchange saying it's from a certain domain, but the IP address where it came from doesn't correspond to the addresses in the SPF record for that domain, the message is bounced.

DKIM insures a message's origin by attaching a cryptographic digital signature to it that associates a message to a domain. That signature can be reviewed at any point in the message's path to its destination.

When it gets to its destination, the receiving system can determine what to do with the message based on the reputation of the signature's owner. If the owner has a good reputation, it will probably deliver the message. If a reputation is tarnished, closer scrutiny of the message may follow.

"If you take the two in combination, there are times when one or the other will fail, but they don't fail simultaneously," Adams said. "So we added the DMARC layer on top that looks down at those two authentication technologies and if both fail, that trips a DMARC failure, and it tells the receiver definitively that this an unauthenticated message."

Despite claims by DMARC's supporters that it will have a significant impact on phishing campaigns, skeptics remain.

"It would put a big dent in phishing if everyone adopted it," Dave Jevans, chairman of the Anti-Phishing Work Group said. "The problem is adoption, not the technology. Adoption has always been the problem.

"There are millions of mail servers out there, and all of them will never support it," he said.

Read more about social networking security in CSOonline's Social Networking Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags anti-phishingapplicationsData Protection | Social Networking SecuritysoftwareAnti-Phishing Working Groupdata protectionFacebookDMARCYahooBank of AmericaGoogleMicrosoftsecurity

More about FacebookGoogleJP MorganMicrosoftMorganPayPalYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place