• United States



by John P Mello Jr

DMARC anti-phishing technology gains acceptance

Feb 06, 20134 mins
Application SecurityMalwareSecurity

The security framework for email has something to celebrate on its one-year anniversary

A technology aimed at blunting phishing attacks on organizations appears to be finally gaining steam a year after its introduction.

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a security framework that offers a way to identify phishing messages by standardizing how email receivers perform email authentication.

Although only a year old, the technology is already protecting 60% of the email boxes in the world — and 80% of email boxes in the United States, according to Agari, an email security company. Agari was one of the founding companies behind DMARC, along with Google, Microsoft, Facebook, Bank of America and JP Morgan Chase.

As with any new technology, particularly something that affects email, acceptance can be a hurdle. But it’s one DMARC is poised to leap over, according to Agari founder and CEO Patrick Peterson.

“We are at escape velocity,” he said in an interview. “When we started, people said they thought it was an interesting idea, but wondered if it was going to be one of these things you hear about and nothing ever comes of it. That’s not going to happen.”

[See also: Yahoo implements latest antispam defense]

In addition to making significant inroads with mailbox providers, DMARC has gained acceptance among email senders, said Trent Adams, chairman of and senior policy advisor at PayPal.

Half of the top 20 email senders have implemented DMARC, he said. “That may not sound like a lot, but if you look at it by volume, the vast, vast majority of email sent over the wire is by the top 20 senders,” Adams said.

Another sign that DMARC is gaining traction is the number of Internet domains that have adopted the technology in the last year, even though they weren’t among the core supporters of the framework. That group includes 60% of top 20 domains now using DMARC. “That shows adoption beyond the group of folks that came into this knowing this was a good solution,” Adams said.

When DMARC was introduced, it was seen as a bridge between two competing email authentication schemes — Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

SPF authenticates where an email originates by comparing its IP address to a list of valid IP addresses submitted by the domain owner to the Domain Name System. If a message arrives at a mail exchange saying it’s from a certain domain, but the IP address where it came from doesn’t correspond to the addresses in the SPF record for that domain, the message is bounced.

DKIM insures a message’s origin by attaching a cryptographic digital signature to it that associates a message to a domain. That signature can be reviewed at any point in the message’s path to its destination.

When it gets to its destination, the receiving system can determine what to do with the message based on the reputation of the signature’s owner. If the owner has a good reputation, it will probably deliver the message. If a reputation is tarnished, closer scrutiny of the message may follow.

“If you take the two in combination, there are times when one or the other will fail, but they don’t fail simultaneously,” Adams said. “So we added the DMARC layer on top that looks down at those two authentication technologies and if both fail, that trips a DMARC failure, and it tells the receiver definitively that this an unauthenticated message.”

Despite claims by DMARC’s supporters that it will have a significant impact on phishing campaigns, skeptics remain.

“It would put a big dent in phishing if everyone adopted it,” Dave Jevans, chairman of the Anti-Phishing Work Group said. “The problem is adoption, not the technology. Adoption has always been the problem.

“There are millions of mail servers out there, and all of them will never support it,” he said.