This week’s Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) conference in Atlanta featured a training session on DMARC.
DMARC stands for Domain-based Message Authentication, Reporting & Conformance, and is a security specification aiming to reduce email-based cyber attacks and fraud. Basically, it works by leveraging decade-old authentication technologies called SPF and DKIM. These were initially introduced to validate the email sender’s identity, but various technical issues rendered them ineffective, until recently. Starting in 2007, PayPal worked with Yahoo! Mail and later Gmail to work around these deficiencies, so that now, through DMARC, a receiving inbox can detect via SPF and DKIM whether the sender’s message fits with the sender’s presented identity, and will also have a protocol by which to handle messages that fail to authenticate.
DMARC.org’s Steve Jones provided an information session on the process at this spring’s M3AAWG conference in Dublin, and yesterday ACS Technologies’ Barry Jones showed how he used DMARC to secure a web auction site against phishing and other fraudulent cyber attacks. The frequency of such attacks is likely to rise along with the use of electronic and mobile commerce, and so it’s a good time to introduce organizations to this kind of advanced digital security.