Domain-based message authentication, reporting, and conformance (DMARC) is the technical standard developed by DMARC.org, a group of 15 email service and technology providers, to fight deceptive emails such as spam and phishing. DMARC.org members include Agari, American Greetings, AOL, Bank of America, Cloudmark, Comcast, Facebook, Fidelity Investments, Google, LinkedIn, Microsoft, PayPal, ReturnPath, TDP, and Yahoo.
“Email is a wonderful, magnificent thing that is used all the time, but it is completely insecure”, said Patrick Peterson, founder and chief executive officer of Agari. “It is clearly unacceptable to continue operating this way”, he told Infosecurity.
A contributing author of the DMARC specification, Agari processes more than 400 million DMARC messages daily across its Email Trust Fabric, Peterson related.
DMARC is a “truly integrated step forward in making [email insecurity] a thing of the past”, Peterson said. The DMARC member companies “agreed that this is the way we want to exchange information and these are the technical standards we are going to use to solve these problems”, he added.
DMARC allows senders to indicate that their emails are protected by the sender policy framework and/or DomainKeys identified mail and tells a receiver what to do if neither of those authentication methods passes. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.
“One of the critical things about DMARC is that it now provides a way for someone who owns a domain” to find out that their domain is being spoofed. DMARC gives domain owners visibility into what is happening on the internet regarding their domain, Peterson said.
DMARC also enables domain owners to publish a policy that tells email service providers that spam or phishing email is being sent from their domains and to block that email from being delivered, he added.
With the launch of Agari’s DMARC receiver program, mailbox providers can protect their customers from email phishing and spam in the same way as founding DMARC.org members.
The program equips mail providers with a streamlined process to adopt DMARC and protect customers through data validation and testing that enables mailbox providers to block, quarantine, or allow messages; benchmarking that allows mailbox providers to anonymously compare data results with that of their peers; and DMARC expertise from Agari.
The end result is a repeatable and scalable way for mailbox providers to work with email senders and protect their users from domain phishing, Agari explained.