Industry heavyweights including Google, Facebook, Microsoft, Yahoo, and several others are joining forces to combat phishing and make email more trustworthy. Forming an initiative called DMARC – short for Domain-based Message Authentication, Reporting and Conformance – their aim is to establish new email standards that would prevent fake messages from reaching users' inboxes.
The DMARC.org site today published a set of specifications on which this new effort is based on, including the existing Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Both are common mail security protocols. SPF allows domain owners to specify which hosts are allowed to send email for their domains, while DKIM verifies the domain name through which a message was sent by analyzing its cryptographic signature.
DMARC isn't intended to replace existing security protocols, but rather tie them together in a common standard that will automate message authentication processes and reporting. Its success will depend on how widely this standard is adopted by both senders and email service providers. For starters, AOL, Gmail, Hotmail and Yahoo are part of the effort and they'll be able to authenticate messages from member companies including Bank of America, PayPal, Facebook, and LinkedIn so that fraudulent emails are filtered out.
Starting today, other companies small or large can adopt the new standard by registering with DMARC.org. Once they sign up, email senders will have a way of constantly communicating with email providers about which messages purporting to be from their domains should be allowed into inboxes and which should not. Companies would also get real-time reporting on how many emails purporting to be from their domains are sent each day, which IP addresses they are sent from, and other data to help attack the phishing problem.