Yesterday, dmarc.org released the new DMARC standard for email. Contributors to the DMARC standard include Agari, American Greetings, AOL, Bank of America, Cloudmark, Comcast, Facebook, Fidelity Investments, Google, LinkedIn, Microsoft, PayPal, Return Path, TDP, and Yahoo!.
DMARC stands for “Domain-based Message Authentication, Reporting & Conformance.” DMARC provides important extensions to the existing email authentication standards by providing automated and standardized methods to process messages that fail email authentication. DMARC explains the significance of this enhancement:
A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.
Let’s look at an example. If a phisher spoofs “paypal.com”, the real email address of PayPal, the bad guy cannot send email from PayPal’s email servers. Because the bad guy can’t use the real email servers, the fake paypal.com email will fail authentication. Before DMARC, webmail services such as Hotmail, Yahoo! Mail, AOL, Mail and Gmail lacked a systematic way for senders to tell them what to do with emails that failed authentication. This is where DMARC comes into play. If PayPal is using DMARC, webmail providers will know that PayPal wants them to reject the fake “paypal.com” email.
Let’s look at another example. What does DMARC do if a phisher uses a deceptive email address instead of “paypal.com”? Consider the example of paypa1.com, where the last letter is really the number one instead of the letter el. Because the deceptive domain is not paypal.com, the deceptive domain is not governed by the authentication records of the paypal.com or the DMARC instructions for paypal.com. The authentication records and DMARC instructions for paypal.com govern only paypal.com and not the other hundreds of millions of domains that exist and will be created. DMARC will have no impact on paypa1.com emails.
While DMARC can deny bad guys the use of the actual domains of trusted senders, DMARC cannot stop bad guys from using domains that are not the actual domains of trusted senders. DMARC will not stop pay-pal.com, fasebook.com, or the myriad of other deceptive domains that bad guys will dream up. DMARC is useful because it:
- allows senders to specify handling policies about messages that fail authentication, and
- provides feedback that can help senders improve their authentication accuracy,
but it only addresses one of many doors that phishers use to get into the inbox.
To deal with all the doors leading to your inbox , you need more. You need a service that can distinguish real from fake for leading consumer brands, regardless of the methods that phishers use. You need eMail ID from Iconix.
Know Who. No Doubt. Use eMail ID.