DMARC launched: standardizes email authentication

The (Domain-based Message Authentication, Reporting and Conformance) website launched two days ago with an official press release stating that fifteen of the biggest email and technology providers have teamed up to combat the threat of deceptive email through standardization of email authentication. This includes the correct use of SPF records and DKIM.
A quote from the press release:

The DMARC specification addresses concerns that have traditionally hindered widespread deployment of an authenticated, trusted email ecosystem. Today, email receivers lack a reliable way to know the extent to which an email sender uses standards like SPF and DKIM for authenticating their messages. As a result, providers must rely on complex and imperfect measurements to separate legitimate unauthenticated messages sent by the domain owner from fraudulent phishing messages sent by a scammer.

Which companies are involved?
All of the big webmail providers are involved: AOL, Gmail, Hotmail, Yahoo! Mail (they together account for about 1,5 billion email addresses), financial institutions and service providers (Bank of America, Fidelity Investments, PayPal), social media properties (American Greetings, Facebook, LinkedIn) and email security solutions providers (Agari, Cloudmark, eCert, Return Path, Trusted Domain Project).

Which specifications are related?
Authentication Failure Reporting Format (AFRF)
A new report sub-type extension for the Abuse Report Format (ARF) (see: RFC 5965)
Allows for relaying of forensic details regarding an authentication failure
Supports reporting of SPF and/or DKIM failures
– For SPF, reports the client IP address and the SPF record(s) that were retrieved, producing a “fail” result
– For DKIM, reports the canonicalized header and body that produced a failed signature, allowing forensic analysis by the signer to detect why the failure occurred
– Also supports ADSP reporting of messages that weren’t signed but should have been
This will be used by DMARC sites for reporting per-message failure details.
An aggregate reporting format is suggested within an appendix of the DMARC specification.
DomainKeys Identified Mail (DKIM)
DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.
DMARC uses DKIM results as one method (SPF being the other) for receivers to check email.
Sender Policy Framework (SPF)
SPF provides a method for validating the envelope sender domain identity that is associated with a message through path-based authentication.
DMARC uses SPF results as one method (DKIM being the other) for receivers to check email.
The DMARC specification can be found here.
More resources:
The official Gmail blogpost can be found here.
The Next Web has an article on DMARC here.


Leave a Reply

Your email address will not be published. Required fields are marked *