Bank of America, Fidelity Investments and PayPal have joined with Google, Microsoft and Facebook to develop a set of e-mail authentication standards designed to reduce the threat of deceptive spam and phishing fraud.
The DMARC working group - comprising 15 leading e-mail service and technology companies - has produced a draft specification that helps create a feedback loop between legitimate e-mail senders and receivers to make impersonation more difficult for phishers trying to send fraudulent e-mail.
"E-mail phishing defrauds millions of people and companies every year, resulting in a loss of consumer confidence in email and the Internet as a whole," says Brett McDowell, chair of DMARC.org and senior manager of customer security initiatives at PayPal. "Industry cooperation - combined with technology and consumer education - is crucial to fight phishing."
The DMARC specification addresses concerns that have traditionally hindered widespread deployment of an authenticated, trusted e-mail ecosystem. Today, e-mail receivers lack a reliable way to know the extent to which an e-mail sender uses standards like SPF and DKIM for authenticating their messages. As a result, providers must rely on complex and imperfect measurements to separate legitimate unauthenticated messages sent by the domain owner from fraudulent phishing messages sent by a scammer.
Paul Smocer, president of Bits, the technology policy division of the US bank-backed Financial Services Roundtable, welcomes the initiative: "Bits has been committed to defining and improving e-mail authentication standards and practices to meet the financial services industry's needs. DMARC's evolutionary approach is critical in assuring these needs are met for years to come."
The DMARC consortium intends to test its framework among group members, before submitting the specification to the IETF for standardisation.