Q&A: How DMARC standard thwarts phishing scams

By Byron V. Acohido

SEATTLE — One year ago, a group of organizations introduced a technical standard called DMARC, an acronym for Domain-based Message Authentication, Reporting & Conformance. DMARC standardizes how major online companies, like Facebook and Netflix, prove the authenticity of legitimate e-mail sent to customers. Major Internet Service Providers Comcast and China’s NetEase, as well as the major providers of free web mail – Microsoft, Google, Yahoo and AOL – all support DMARC.

But the IRS does not, which is one reason tax-related phishing attacks using faked IRS e-mail continues to flourish, as CyberTruth revealed in this coverage.

Any phisher who tries to send a bogus Facebook or Netflix e-mail that uses the free e-mail services or ISPs supporting DMARC gets blocked. After only a year in business, DMARC is helping to protect about 60% of e-mail. Patrick Peterson, CEO of e-mail security company Agari, was a key contributor to designing the new standard. CyberTruth asked Peterson to drill a bit deeper.

LW: How should the layperson think about DMARC?


Peterson: Recent surveys have shown 60% of US consumers have a declining level of trust in e-mail. Sadly, this is because rampant spam and phishing. DMARC ensures all of us can trust the message coming from our bank, government, or e-commerce store. It takes the email channel away from criminals sending those nasty, fraudulent messages we see every day.

LW: So DMARC will actually impact all e-mail users?

Peterson: Fewer fraudulent email messages mean we can spend more time shopping, banking online and looking at photos of our grandchildren rather than worrying about whether the message is legitimate. The great news is the average citizen doesn’t need to know anything about DMARC, since DMARC acts behind-the-scenes at their ISP.

LW: How did DMARC come about?

Peterson: In 2010 leading companies including Agari, Facebook, Google, JP Morgan Chase, PayPal, Yahoo! and 12 others decided enough was enough. It was time to define a new technology that would help businesses protect their online identities and consumers trust their e-mail. We sat down together, looked at the existing solutions and began diving into the technology and data to build the solution. Although it was not announced until January 2012, it had been under constant testing and deployment since 2010.

LW: What good has DMARC done in its first year?

Peterson: At the moment, 80% of US consumer mailboxes are protected by DMARC. The largest ISP in China and separately, the largest ISP in Russia, have both signed on to support DMARC. Major brands including JP Morgan Chase, Facebook, and Twitter have also deployed DMARC to keep consumers safer. More than 150 million malicious phishing messages are being rejected every month.

At Agari, we’ve helped the country’s largest bank deploy DMARC that stops billions of phishing emails per month. We also signed up the three largest social networks in the nation, the most admired consumer electronics brand, and a top credit card processing company.

LW: What do you expect DMARC to achieve, going forward?

Peterson: DMARC adoption will continue to grow, protecting more brands for more consumers. We should be able to bank, shop, and play online without the plague of data and identity theft.

LW: Anything else?

 Peterson: Every member of DMARC.org has taken a leadership role to protect consumers and Agari is proud to be playing a pivotal role to help make our Internet a safer place. DMARC provides a shining example of how the industry has stepped up to the plate to solve this issue.

 Follow Byron Acohido on Twitter: @byronacohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone