Google has announced that it will be moving Gmail to a strict DMARC policy starting in June 2016.
The idea is to thwart cybercriminals who hack into user accounts and then scrape the address books; they then use a different server to spoof messages from the hacked user to his or her own contacts. They do this for spam and fraud purposes, for phishing and to spread malware.
A DMARC policy combats this by allowing a sender to indicate that its emails are protected, and tells a receiver what to do if neither of those authentication methods passes—such as junk or reject the message.
The news follows Yahoo’s announcement that it would expand its use of DMARC to protect users of the ymail.com and rocketmail.com services by November 2, with more coverage to be added to additional domains in the coming months.
This is an expansion of Yahoo’s use of DMARC, after it used it to prevent a large-scale campaign of abuse of its Yahoo Mail services in 2014. At the time a Yahoo executive wrote in a company blog post, “And overnight, the bad guys … were nearly stopped in their tracks.” This was so successful that AOL followed suit later in the same month in response to a similar large-scale campaign targeting its marquee domain.
DMARC is also taking steps to address the downsides of using the specification. When Yahoo and AOL began protecting their customers from abuse, there was a small percentage of users who were negatively impacted by the change. To address these issues, several workarounds were quickly deployed by service providers and mailing lists, and two long-term solutions were submitted to the IETF for consideration. One of these, the Authenticated Received Chain (ARC), is being presented at the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) meeting in Atlanta. The goal is to engage the technical community in helping to refine and test the proposed solution with deployers such as Google, Microsoft and Yahoo, with an interoperability event being organized for the first quarter of 2016.
“We are pleased to be supporting the ARC protocol to help mailing list operators adapt to the need for strong authentication,” said John Rae-Grant, lead product manager for Gmail.
“More and more companies have been adopting DMARC and email authentication over the past few years, with more vendors and service providers adding the necessary support to their offerings in order to make that adoption simpler,” said Steven Jones, executive director of DMARC.org. “With new protocols like ARC emerging to address the traditional email use cases that were problematic under some DMARC policies, and the leadership of forward-thinking companies like Google, Microsoft and Yahoo, I expect to see the rate of adoption accelerate globally.”