DMARC anti-phishing technology gains acceptance

A technology aimed at blunting phishing attacks on organizations appears to be finally gaining steam a year after its introduction.

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a security framework that offers a way to identify phishing messages by standardizing how email receivers perform email authentication.

Although only a year old, the technology is already protecting 60% of the email boxes in the world -- and 80% of email boxes in the United States, according to Agari, an email security company. Agari was one of the founding companies behind DMARC, along with Google, Microsoft, Facebook, Bank of America and JP Morgan Chase.

As with any new technology, particularly something that affects email, acceptance can be a hurdle. But it's one DMARC is poised to leap over, according to Agari founder and CEO Patrick Peterson.

"We are at escape velocity," he said in an interview. "When we started, people said they thought it was an interesting idea, but wondered if it was going to be one of these things you hear about and nothing ever comes of it. That's not going to happen."

[See also: Yahoo implements latest antispam defense]

In addition to making significant inroads with mailbox providers, DMARC has gained acceptance among email senders, said Trent Adams, chairman of and senior policy advisor at PayPal.

Half of the top 20 email senders have implemented DMARC, he said. "That may not sound like a lot, but if you look at it by volume, the vast, vast majority of email sent over the wire is by the top 20 senders," Adams said.

Another sign that DMARC is gaining traction is the number of Internet domains that have adopted the technology in the last year, even though they weren't among the core supporters of the framework. That group includes 60% of top 20 domains now using DMARC. "That shows adoption beyond the group of folks that came into this knowing this was a good solution," Adams said.

When DMARC was introduced, it was seen as a bridge between two competing email authentication schemes -- Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

SPF authenticates where an email originates by comparing its IP address to a list of valid IP addresses submitted by the domain owner to the Domain Name System. If a message arrives at a mail exchange saying it's from a certain domain, but the IP address where it came from doesn't correspond to the addresses in the SPF record for that domain, the message is bounced.

DKIM insures a message's origin by attaching a cryptographic digital signature to it that associates a message to a domain. That signature can be reviewed at any point in the message's path to its destination.

When it gets to its destination, the receiving system can determine what to do with the message based on the reputation of the signature's owner. If the owner has a good reputation, it will probably deliver the message. If a reputation is tarnished, closer scrutiny of the message may follow.

"If you take the two in combination, there are times when one or the other will fail, but they don't fail simultaneously," Adams said. "So we added the DMARC layer on top that looks down at those two authentication technologies and if both fail, that trips a DMARC failure, and it tells the receiver definitively that this an unauthenticated message."

Despite claims by DMARC's supporters that it will have a significant impact on phishing campaigns, skeptics remain.

"It would put a big dent in phishing if everyone adopted it," Dave Jevans, chairman of the Anti-Phishing Work Group said. "The problem is adoption, not the technology. Adoption has always been the problem.

"There are millions of mail servers out there, and all of them will never support it," he said.

Read more about social networking security in CSOonline's Social Networking Security section.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags MicrosoftGoogleFacebooksoftwaredata protectionapplicationsYahooData Protection | Social Networking SecurityBank of AmericaAnti-Phishing Working GroupDMARCanti-phishing

More about FacebookGoogleJP MorganMicrosoftMorganPayPalYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

More videos

Blog Posts