Some 300 billion emails circulate each day, but they still can't escape a fundamental flaw – that users who receive these messages can't be certain who sent them. This underlying weakness has led to phishing and spam being persistent threats on the web for many years.
But the age-old quest for accountability in digital communication has a new champion: Domain-Based Message Authentication, Reporting and Conformance (DMARC), a new specification whose creators hope soon will be adopted by the Internet Engineering Task Force (IETF).
DMARC has a few things working in its favor that past authentication attempts didn't. For one, it is not a standalone protocol, but one that works in concert with popular security methods already adopted: DomainKeys Identified Mail (DKIM), a technique that associates a domain name to an email message, and Sender Policy Framework (SPF), which detects spoofing.“DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms,” according to the group. “This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo and any other email receiver implementing DMARC.”
Second, DMARC has some muscle behind it. Not only are the major email providers behind the system, but so are some of the most digitally abused brands, such as PayPal. And third, DMARC gets away from the traditional approach of blacklisting.“DMARC gives us an ability not just to guess if that message is good or bad, but to actually know whether it came from a legitimate organization,” said Patrick Peterson, founding member of DMARC and CEO of email security firm Agari.DMARC uses DKIM and SPF to vet, at the domain level, the trustworthiness of emails. Email providers can then, through their own policy and through user preferences, get as granular as they wish. That may mean simply monitoring unauthenticated messages all the way to outright blocking them.
The specification also allows senders to publicize their email handling practices, while receivers can offer feedback.Critics of DMARC argue that as long as people are involved in the process, users still will fall for phishing and spam.
“Humans don't work the way technology works, they work the way humans work,” said Joseph Steinberg, CEO at Green Armor Solutions, an authentication vendor.