Google, Microsoft And Others Announce Anti-Phishing Initiative

An alliance between 15 companies is hoping to set a standard to effectively wipe out email phishing

Google, Facebook, Microsoft, PayPal and 11 other companies have announced a proposed standard for email sending and receiving in an attempt to stamp out phishing.

DMARC, or Domain-based Message Authentication, Reporting and Conformance, is a system that will aid communication between companies and consumers by creating a standardised way of authenticating emails.

Fighting the phishers

The other companies working in the DMARC group are AOL, Yahoo, Bank of America, Fidelity, LinkedIn, American Greetings and email security providers Agari, Cloudmark, eCert, ReturnPath and Trusted Domain Project.

The group came together roughly 18 months ago and last November it emerged that Google, Yahoo, AOL, Microsoft and Agari were authenticating for Facebook, YouSendIt and other e-commerce organisations and social networks. Today’s move sees DMARC expand its list of participants in the hope that the system will be more widely recognised.

Backed by the Online Trust Alliance (OTA), BITS, and the Messaging Anti-Abuse Working Group (MAAWG), the eventual goal of the DMARC collaborators is to “develop an operational specification to be introduced to the IETF (Internet Engineering Task Force) for standardisation” and eventually become an official internet standard.

“One of the worst experiences for a user is being phished,” said Adam Dawes, DMARC representative and Google product manager, told Wired. “The best way to protect them is to make sure the email never reaches the spam folder at all.”

The DMARC system ensures that email senders are protected by SPF (Sender Policy Framework) and/or DKIM (DomainKeys Indentified Mail) and receivers are informed and advised should messages fail to meet the authentication methods.

Phishing persists as a major problem, with data from the OTA suggesting that hundreds of thousands of accounts are hijacked daily. The hope is that as more companies adopt DMARC’s standard, the scamming practice will be rendered useless.