Email spam has been a problem for even longer than commercial activity has been permitted on the Internet, and thanks to botnet operators, scammers, and outright cybercriminals spam has ballooned to account for the vast majority of all email. Although antispam technologies and filters have improved considerable over the years—and there have been some notable victories, like the takedown of the Rustock botnet last year—email operators and end users are always playing catch-up to the spammers, who always seem to find new ways to get a few messages into people’s inboxes.
A new email authentication framework backed by the likes of Microsoft, Google, AOL, Yahoo, and Facebook looks to put an end to that—or, at least, some of that. The new Domain-based Message Authentication, Reporting & Conformance (DMARC) specification aims to make it easier to verify whether email messages are legitimate. The DMARC spec has been in the works for over 18 months, and now the DMARC organization has taken the wraps off it in preparation for proposing it to the IETF as an Internet standard. Members of the DMARC group include major email providers like Yahoo, Google, and Microsoft, security companies like eCert, Agari, and Cloudmark, as well as member of the financial community like PayPal, Bank of America, and Fidelity Investments.
As most Internet users know, there’s nothing secure about plain-jane email: anyone can put any address they like into the “from” line of a message to make it appear to be from someone else. Spammers and particular phishers abuse this lack of security, crafting messages that appear to be legitimate in an effort to get users to click a link (which, more than likely leads to a malware or scareware site) or to divulge personal information like passwords, birth dates, and account numbers, which in turn will be used in forms of identity theft.
The DMARC spec builds on previous authentication mechanisms like Sender ID, SPF, and DKIM and aims to provide an easily-to-implement standard that augments SPF and DKIM. Both SPF and DKIM aim to validate whether mail from a particular domain (not a particular user) is legitimate: i.e., if a machine in the domain
example.com wants to deliver a message that claims to be from
yahoo.com, either SPF or DKIM could be used to determine whether Yahoo lets example.com deliver mail on its behalf. If so, great, the message will be accepted. If not, the receiving server has to make a decision about whether it wants to treat the message as legitimate.
Without a standard, major email senders and providers have had to work out individual arrangements with each other to verify messages, report problems, and attempt to block fraudulent mail before it reaches users—often with the result that legitimate (but unauthenticated) mail gets rejected. DMARC aims to improve that, creating a standard that embraces both SPF and DKIM and creates a standard feedback mechanism so site operators can more easily identify problems with email delivery or reception.
Embracing both SPF and DKIM means email operators can embrace whichever standard makes the most sense for them. SPF is the easiest to implement, and works by publishing email sender polices as part of a site’s DNS information: that’s manageable for simple setups but doesn’t always scale well for complex operators. DKIM, conversely, relies on cryptographic verification—it’s harder to set up, but easier to scale for truly massive email operators.
The proposed DMARC standard is explicitly aimed at phishing and making it much harder for scammers to get legitimate-looking email into inboxes in an effort to get people to reveal information or click links to malicious sites—and that’s one reason the financial community is interested in the technology. However, the DMARC standard doesn’t do anything to make the “from” line in messages any more authentic: even if DMARC gets accepted as a standard, everyone will still have open season on “from” lines—so always take them with a grain of salt.