DMARC makes it a year

Yesterday DMARC.org announced that in a year DMARC protects over 60 million mailboxes worldwide.

DMARC, which stands for Domain-based Message Authentication, Reporting & Conformance, builds on previous email authentication advancements, SPF and DKIM, with strong protection of the author’s address (From field) and creating a feedback loop from receivers back to legitimate email senders. This makes impersonation of the author’s address difficult for phishers who are trying to send fraudulent email. Brands can use DMARC to easily notify email providers how to recognize and manage fraudulent mail, while also providing a means by which the receiver can report on fraudulent messages to the owner of the spoofed domain. Messages that pass DMARC validation will continue to be evaluated by the mailbox provider to determine ultimate placement of the message according to its spam-detection filters.

 DMARC is a framework that allows senders to specify authorized sources of mail and tell recipient ISPs what to do with mail if the authentication fails. It also creates a feedback mechanism so receivers can tell senders when authentication fails.

Related Posts

How long is your DKIM key?

While we were at M3AAWG, Wired published an article talking about how simple it was to crack DKIM keys. I didn’t post about it at the time because it didn’t really seem like news. DKIM keys smaller than 1024 are vulnerable and not secure and the DKIM spec does not recommend using keys smaller than 1024. When I asked the DKIM-people-who-would-know they did tell me that the news was that the keys had been cracked and used in the wild to spoof email.
Fair enough.
If you are signing with DKIM, use a key 1024 or longer. Anything shorter and your risk having the key cracked and your mail fraudulently signed.
This morning M3AAWG published recommendations on keeping DKIM keys secure.

Read More

DMARC: an authentication framework

A new email industry group was announced this morning. DMARC is a group of industry participants, including large senders, large receivers and relevant intermediaries working on a framework to reduce the harm from phishing.
DMARC is working on a standard to allow senders to publish sending policies and receivers to act on those policies. Currently, senders who want receivers to not deliver unauthenticated email have to negotiate private agreements with the ISPs to make that happen. This is a way to expand the existing programs. Without a published standard, the overhead in managing individual agreements would quickly become prohibitive.
It is an anti-phishing technique built on top of current authentication processes. This is the “next step” in the process and one that most people involved in the authentication process were anticipating and planning for. I’m glad to see so many big players participating.
 

Read More

Setting up DNS for sending email

Email – and email filtering – makes a lot of use of DNS, and it’s fairly easy to miss something. Here are a few checklists to help:

Read More