Google, Facebook fight phishing with new specification

LONDON – Major Internet companies including Google, Microsoft, and Facebook have announced a new specification to streamline the way email providers work out whether messages are part of phishing attacks using spoofed domain addresses.

In testing for two years and called DMARC (Domain-based Message Authentication, Reporting & Conformance), the initiative is really an attempt to impose a single set of policies on the sometimes arbitrary way that way companies separate the good email from the bad.

Almost a decade after the industry last set out to solve the problem with DomainKeys Identified Mail (DKIM) and Microsoft’s Sender Policy Framework (SPF, later called Sender ID), DMARC’s arrival is an acceptance that these have not been enough – phishing attacks, in which criminals impersonate the domains of well-known companies in order to get users to click on malicious links, remain a major scourge.

Conversely, large corporate such as banks are often unwilling to communicate by email at all lest it make consumers more likely to fall for phishing attacks.

Under DMARC, email hubs would use a protocol to communicate which email authentication technologies they were using, giving recipients a high degree of certainty as to an email’s provenance.

This sounds obvious, but many of today’s bulk email providers apply security as islands cut off from their peers in which they secure outgoing email traffic without being able to trust what is incoming to their servers. Policies and algorithms for doing the latter vary.

Importantly, organisations whose domains are being impersonated as part of phishing attacks – that is to say almost every company of any size – never get to hear from their peers that this is happening.

By cementing trust between large email companies, DMARC hopes to slowly but surely drive spammers and phishing scammers away from their domains towards less convincing ones. It doesn’t mean, therefore, that phishing attacks will stop merely that they will be easier to spot both for anti-spam filters and recipients.

“Industry groups come and go, and it’s not always easy to tell at the beginning which ones are actually going to generate good solutions,” admitted Adam Dawes of Google, one company that has been trialling DMARC for some time.

“When the right contributors come together to solve real problems, though, real things happen. That’s why we’re particularly optimistic about today’s announcement of,” he said.

Google already endoreses the Domain assurance anti-phishing system from fellow DMARC member, Return Path, developed in parallel to the new specification as it emerged from a partnership between Google, Yahoo and PayPal five years ago.

A large part of DMARC’s success will depend on spreading it beyond the core of large companies currently endorsing it. ISPs also need to come onboard, which will take time.

Other participants include Bank of America, PayPal, Yahoo, LinkedIn, Fidelity Investments, AOL, Agari and American Greetings as well as email security company CloudMark. Industry research group the Trusted Domain Project (TDP) completes the list.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now