Malware optimize

Stop deceptive phishing emails with DMARC.org standards

Dealing with the aftereffects of a phishing attack can be more than a little frustrating. One group is trying to fix that with a set of standards.

I don't know how your email inbox looks these days, but my personal email accounts still get a noticeable amount of phishing emails. Some of those phishing emails have actually been very well-constructed attempts at extracting information -- attempts that I am sure tricked at least a few individuals into divulging personal information to someone not authorized to receive it.

For novice users in your organization or even in your family, these phishing emails can be very effective, which can lead to all sorts of costly problems. As the IT Pro on the hook to fix those kinds of problems, dealing with the aftereffects of a phishing attack can be more than a little frustrating.

Would a set of agreed-upon email authentication standards help you in this respect?

DMARC

On January 30, 2012, a group of organizations announced a joint effort to reduce the threat of deceptive emails. DMARC.org is a working group that wants to establish a set of standards outlining "an enhanced vision for email authentication that can scale up to today's Internet needs." The draft standards incorporate some of the best authentication practices currently in use by large email senders.

By the way, DMARC is an acronym for: Domain-based Message Authentication, Reporting and Conformance. As you can see, the name practically demands an acronym.

In a ZDNet Blog post, Larry Dignan says that "after 18 months of work, DMARC is pitching a system that allows email senders to include authentication technologies. In this system, email providers can get reports that highlight gaps in authentication schemes."

Here is how the system would work

The entities involved in the working include a veritable who's who of large-volume email senders and providers, including Google, Microsoft, Yahoo, eBay's PayPal, AOL, and Bank of America. For more detailed information about the DMARC initiative, check out the DMARC.org website.

Gone phishing

Are you still having trouble with phishing emails at your organization? Do you think the DMARC.org plans to create a set of authentication standards will work in the real world? Do you plan to support the effort?

Also read:

About

Mark Kaelin is a CBS Interactive Senior Editor for TechRepublic. He is the host for the Microsoft Windows and Office blog, the Google in the Enterprise blog, the Five Apps blog and the Big Data Analytics blog.

2 comments
daincrawford
daincrawford

We are having a great deal of trouble with false positive email blocking both incoming and outgoing. We are a regular business, trying to send regular business email, no spam, no solicitations. Yes we attach pdf's of invoices or quotes occasionally, at the customer's request. These are things we have always done. Typical business uses of email. But in the past few weeks, the number of outgoing emails being blocked has increased dramatically and our. I am all in favor of reducing spam and phishing and I will do whatever I can to help reduce it. What I do not know how to do yet, is understand what I have to do to get my user's email authenticated properly for all recipients. No one seems to be talking about this and I know that I am not the only one having issues.

Mark W. Kaelin
Mark W. Kaelin

Are you still having trouble with phishing emails at your organization? Do you think the DMARC.org plans to create a set of authentication standards will work in the real world? Do you plan to support the effort?