Email Domain Protection Effort Gains Traction

  /     /     /  
Publicated : 22/11/2024   Category : security


Email Domain Protection Effort Gains Traction


Phishing and email domain abuse prevention specification DMARC marks year one with widespread adoption



An industry effort to protect corporate brands from email domain spoofing has been adopted by Google, Yahoo, AOL, and Microsoft, as well as major Russian and Chinese email providers in the past year, bringing the trusted email standard Domain-based Message Authentication, Reporting & Conformance (DMARC) to 60 percent of email users worldwide and 80 percent of U.S. consumers.
The year-old DMARC initiative, which was spearheaded by a group of 15 companies, including Google, Microsoft, Facebook, the Bank of America, and PayPal, aims to fill a major security gap in email with a specification for curbing phishing and other abuse of legitimate email domains. It basically establishes a standard way for email providers and email domain owners to catch and handle messages with spoofed domains.
Some of the most convincing phishing attacks originate from spoofed email domains of legit companies or organizations. Google, Facebook, AOL, Hotmail, PayPal, Yahoo, and LinkedIn are among the major players using DMARC to guard their email domains from spoofing, and Russias mail.ru and Chinas NetEase all have deployed DMARC. Some 80 percent of consumer inboxes are protected by DMARC today, according to DMARC.org, which is nearly 2 billion email accounts worldwide.
Another stat released today by DMARC.org: More than 325 million emails were rejected using the technology in November and December 2012 alone because they didnt authenticate, and some 49 million of those messages came from highly phished domains.
Half of the top 20 email sender domains now publish a DMARC policy. About 60 percent of those domains are not DMARC.org members, and 70 percent of those domains include a policy for email receivers to take action against spoofed messages.
Trent Adams, chair of DMARC.org and PayPals senior policy adviser for its ecosystems payment group, says DMARC is all about a community effort in quashing email abuse and threats. Were really cognizant that DMARC is an ecosystem story: Its not just one sector needing to do something, Adams says. It empowers email providers to take definitive action against spoofed messages, as well, he says.
DMARC picks up where email authentication standards leave off. It provides a standard for how email receivers deploy the email authentication standard Sender Policy Framework (SPF), which validates email by verifying the senders IP address. Email administrators basically specify which hosts can send email from their domains, and DomainKeys Identified Mail (DKIM), which uses the reputation of an organization to verify trust for a message, uses cryptographic authentication. DMARC lets the domain owner control who uses the domain via registration and authentication and detect and respond to abuse.
Facebook messaging engineer Michael Adkins says large and small domains from various vertical markets are adopting DMARC. Ive been working on email-related abuse issues for close to 10 years now. The standards, [such as] DKIM, sort of sit there and nothing happens, Adkins says. But with DMARC, this is the end of a very long road for a lot of people in the industry. Were finally seeing everything click into place with email security standards now, he says.
Aside from Bank of America, Facebook, Google, PayPal, and Hotmail, among the companies that use DMARC are Amazon, American Greetings, Apple, Bank of America, Blizzard Entertainment, Booking.com, eBay, Facebook, FedEx, Fidelity Investments, Google, Groupon, JP Morgan Chase, LinkedIn, LivingSocial, Netflix, PayPal, Tagged, Twitter, Western Union, Yelp, YouTube, and Zynga.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Email Domain Protection Effort Gains Traction