New Industry Alliance Targets Phishing And SpamNew Industry Alliance Targets Phishing And Spam

A new industry consortium is attempting to advance the slow-moving state of the art in email security. Domain-based Message Authentication, Reporting & Conformance--DMARC--is a specification that builds on the two legacy techniques for email authentication: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

The DMARC spec creates a set of wrapper specifications and procedures around SPF and DKIM, both of which have been around for many years. The goal is both to make them easier to work with on the recipient side, and to press large email senders to sign 100% of their outbound email.

Both SPF and DKIM use the DNS records of the sending party to store information that the receiver can use to verify that the sender is actually sending from that domain. So where a phishing email appears to be "From: [email protected]", DKIM and SPF would detect that it wasn't actually sent from the servers in those domains.

DMARC calls on email senders to sign 100% of their outbound email and to include email headers that more clearly indicate the domain of the signer. Recipients also can more easily report domain spoofs to the legitimate senders.

I asked John Levine, an author and consultant on Internet security and one of the authors of the DKIM-related Author Domain Signing Practices (ADSP) standard about DMARC. He says it's a good thing as far as it goes, but "...it does have some of the chronic Internet tendency to put a steel door on a cardboard box." Like many security standards that are not mandatory, if it's not implemented then it won't fail. Neither DKIM nor SPF are at the point where a recipient can say that they will only accept messages that use them. Therefore you still need to keep your eyes open.

Consider the example of Bank of America, a member of DMARC and a prime phishing target. BofA has bought up a large number of Internet domains suggestive of its bank name or typos of the name (such as 1800thebofa.com, bancofamerica.com, wwwbankamerica.com). However, the total number of potential domains is very, very large. For instance, BofA does not own wwwbankfoamerica.com. So if a phishing email comes to you from [email protected], it won't fail an SPF or DKIM check because it won't use those features.

Or maybe SPF, DKIM, or both will kick in--but the email still won't be suspect because the phisher controls the DNS server and puts proper information in it.

So email security has advanced a little bit and it's easier for organizations to follow best practices, but the real problem is that these practices are still just recommendations. Until recipients can require inbound mail to be signed and do a reasonable reputation check on the sending domain, protection through DMARC will be far less effective than it might.