Microsoft, Facebook, Google Unite To Battle Spam

Fifteen companies, including Microsoft, Yahoo, Google and Facebook, have come together to form (Domain-based Message Authentication, Reporting and Conformance), a technical group focusing on ways to ensure that e-mails ostensibly coming from legitimate companies are not being spoofed, according to the group's announcement.

The idea is to better identify fraudulent e-mails by better authenticating legitimate ones. If a message doesn't have the proper ID, it doesn't get through.

The DMARC specification builds on e-mail standards such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) in an attempt to create a standard, comprehensive protocol for authenticating e-mail, Adam Dawes, Google's Gmail product manager, writes in the Gmail Blog.

DMARC would ensure that e-mail providers would recognize e-mail coming from a sender is legitimate, and can reject messages that haven't been authenticated, Dawes writes.

"A DMARC policy allows a sender to indicate that their e-mails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes -- such as junk or reject the message," the group, which also includes AOL, PayPal, LinkedIn, Agari and Bank of America, says on its home page.

Several of the companies involved in DMARC, such as Google and Microsoft, often fight it out over matters, but in this case have found a common enemy worth joining forces against.

The goal is to significantly reduce the amount of fraudulent e-mail making its way not only into e-mail systems, but even into quarantine. E-mail filters catch most spam already, but someone going through their quarantined messages still might be tempted to click on a message that seems to come from their bank, or refers to their PayPal account.

And some messages from spoofed sources still get through, often trying to get people to click on links that take them to malicious sites. Sometimes the phishers' goal is to deliver ads for counterfeit products, sometimes to download botnet malware and sometimes to collect personal financial or other sensitive information.

Many of the most notable cyberattacks of recent years -- including those against Google and RSA Security -- began with phishing, or more targeted spear-phishing, e-mails.

"DMARC removes guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent and harmful messages," the group says. "DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation."

The group says it plans to collect data from using DMARC in the field and then submit it to the Internet Engineering Task Force for approval as an Internet standard.

DMARC is asking organizations interested in the project to read the specification, join the group's discussion mailing list at and begin testing and deploying e-mail authentication standards SPF, DKIM and DMARC.

Group members also will hold discussions on DMARC at two upcoming conferences in San Francisco: The Messaging Anti-Abuse Working Group General Meeting, Feb. 21-23, and the RSA Conference 2012, Feb. 27-March 2. 

About the Author

Kevin McCaney is the managing editor of Government Computer News.


  • How To Use .CSV Files with PowerShell, Part 1

    When it comes to bulk administration, few things are handier than .CSV files. In this two-part series, Brien demos his top techniques for working with .CSV files in PowerShell. First up: How to create a .CSV file.

  • SameSite Cookie Changes Rolled Back Until Summer

    The Chromium Project announced on Friday that it's delaying enforcement of SameSite cookie changes, and is temporarily rolling back those changes, because of the COVID-19 turmoil.

  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.