Much thanks to Franck Martin at LinkedIn and Josh Aberant at Twitter for providing technical guidance on this post.
Most countries require visitors to have a passport and valid visa at the point of entry – whether at the border or airport. These requirements, however, do not always prevent people from entering illegally. Malicious individuals may impersonate someone by stealing their passport and claiming their identity in order to gain access at checkpoints and deceive the border police. As a result, immigration officers now implement more advanced security and background checks to secure the borders.
Unfortunately, the Internet and the global email system have a lot in common with immigration and border security. While the main purpose of inventing the Internet in 1960s was open communication between universities, colleges and government agencies, cybercriminals have undermined that openness for the rest of us. Just like identity thieves, they subverted the system by using techniques like email spoofing and phishing, and as a result, the major Internet services providers (ISPs) have had to establish anti-abuse departments.
From botnets to malware, phishers to 419 scammers, malicious mail accounted for 85% of Internet traffic by 2012. In order to protect their members from these cybercriminals, major ISPs began to require stricter email security measures such as SPF and DKIM. Finally, DMARC was conceived in 2012.
DMARC or Domain-based Message Authentication, Reporting and Conformance is a security technique that fights cybercrime, including domain spoofing, phishing and spear phishing, that relies on SPF and DKIM authentication in order to guarantee message integrity. It’s a mutual reporting protocol whereby domain owners – email senders – can indicate to ISPs that their emails are protected by SPF and/or DKIM, and tell the receiver (the ISP) what to do if neither of those authentication methods passes. Through their DMARC policy, senders can request ISPs to reject non-compliant email outright, or to quarantine it for further review. In fact, there are three “report modes” for DMARC: report mode (p=none), reject (p=reject), and quarantine (p=quarantine) – more on this below.
DMARC is specifically designed to combat one of the most common types of phishing attacks, where the “from address” in an email is forged. We see this when cybercriminals create emails that appear to be from prominent Internet brands or financial services companies, and usually contain links to malicious websites. We also see this in spear phishing attacks where criminals impersonate close contacts of their intended victims. Email recipients who fall for these kinds of scams can inadvertently download and install malware, or hand over sensitive account login information or passwords, or become a victim of identity theft. Of course, the damage is most severe for the individual, but service providers and brands suffer as well.
DMARC is a powerful tool to combat this kind of activity, and the major ISPs have been steadily implementing it over the past two years. It should be pointed out that DMARC does two things, really, both a) protecting mailboxes from receiving phish and forgeries, and b) stopping criminals from using your domains. Because 85% of mailboxes in the USA are now protected by DMARC (60% worldwide), applying a DMARC policy on your domain is a very effective way to project your brand and make the email a more difficult channel for criminals to exploit.
Earlier this month, Yahoo took the bold step of changing their DMARC policy from report mode (p=none) to reject (p=reject). Yahoo’s SVP of Communications Products Jeff Bonforte explained the change in a Tumblr post:
“On Friday afternoon last week, Yahoo made a simple change to its DMARC policy from “report” to “reject”. In other words, we requested that all other mail services reject emails claiming to come from a Yahoo user, but not signed by Yahoo.
Yahoo is the first major email provider in the world to adopt this aggressive level of DMARC policy on behalf of our users.
And overnight, the bad guys who have used email spoofing to forge emails and launch phishing attempts pretending to come from a Yahoo Mail account were nearly stopped in their tracks.”
This policy now rejects and blocks traffic coming from yahoo.com email users who are on other networks, and not on Yahoo servers. The change will only affect traffic coming from Yahoo.com (not Yahoo hosted domains, it is up to each customer to decide whether or not to apply a DMARC policy on their hosted domain) based on the “From Address” that is not signed by Yahoo. This new policy has stopped millions of phishers already. This was a necessary move and no doubt there will be some education needed in the field to encourage small businesses to register and use their own domain if they haven’t already. But at the end of the day, these little challenges are a necessity, because email phishing has become one of the major channels for initiating cybercrime. After all, this was the reason DMARC was created, to give senders and receivers the power to define policies and protect the Internet from the criminals.
No doubt, Yahoo’s new policy is a disruption for small business owners and mailing list owners who send email on behalf of individuals. Yet DMARC has been embraced by many of the major Internet brands, and the effort to create a more secure messaging environment is likely to keep progressing. This is good for everyone who enjoys email and surfing the web. We encourage our ESP clients to only allow traffic from the domains they control to leave their network. We at Message Systems fully support Yahoo’s new DMARC policy and any effort to make the Internet a better and safer place. Our in-house expertise is available to assist any of our clients who use our core engine, Momentum, which provides for email authentication and is fully equipped to face any challenges in complying with Yahoo DMARC acceptance policies.
Find out more about DMARC email authentication in the The Benefits of Adopting DMARC Email Authentication in the joint webinar by Return Path, Groupon and Message Systems.