Two years ago, Yahoo went all in with a newish technology to put an end to spoofed e-mails and other pernicious phishing attempts.
It began rejecting all e-mails that claimed to come from a Yahoo user but weren’t signed by Yahoo. Overnight, the bad guys “were nearly stopped in their tracks,” Jeff Bonforte, Yahoo’s senior vice president of communications products, wrote at the time.
This week, Bonforte said the experiment is going global.
“Yahoo was the first major e-mail provider to implement the stronger policy, to protect our users from fake messages and spoofing threats,” Bonforte said. “The results have been outstanding, so we will soon roll out the enhanced policy for our remaining fraction of international users not covered by the policy.”
Yahoo is joined by Google, Facebook, PayPal, Twitter, Microsoft and others in adopting DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance. The technology standard verifies that an e-mail came from whom it claims to come from by checking the sender’s Internet domain — or the “paypal” in paypal.com.
For consumers, this means fewer spoofed e-mails in your inbox and spam folder, lest you are tempted to click that strange query from your bank asking for your password, Social Security number and mother’s maiden name.
Even though major e-mail providers have enabled DMARC, a new study from Return Path, an e-mail analysis and consulting firm, estimates only 29 percent of the top 1,000 brands most susceptible to phishing have joined the movement.
“We’re not quite there, but we’re on the path to being there,” said Robert Holmes, Return Path’s senior vice president and general manager for e-mail fraud protection. “The problem with security is the lowest common denominator. We can only trust e-mail when all brands adopt it.”
DMARC checks two existing e-mail authentication methods: SPF, or Sender Policy Framework, which prevents a sender from putting a different e-mail address in the sender field; and DKIM, or DomainKeys Identified Mail, which checks whether the domain the e-mail came from is trustworthy and reputable.
If the message passes, DMARC lets the message through to the user’s inbox. If not, DMARC can quarantine the message, reject it or do nothing. The action is based on the DMARC policy of the company whose name is being spoofed.
But doing nothing — or p=none in computer speak — doesn’t mean nothing is being done. This sends the domain owner a report on which messages passed and which were suspect. Some suspicious messages might not be suspect at all.
Boulder-based SendGrid, for example, sends billions of e-mails each month on behalf of its customers, including Nextdoor, Pinterest and Airbnb. By switching to “reject,” mismatching messages wouldn’t reach customers.
Companies use the “none” feature to study what might have been rejected so they can work with third-party domains to get their authentication up to date.
“There is the potential that if they configure their DMARC policies incorrectly, they can disrupt their own legitimate e-mails,” said Paul Kincaid-Smith, SendGrid’s vice president of delivery. “The main idea here is proceed with caution. Use a phased approach. Make adjustments before tightening up the policy.”
(Search for a company’s DMARC policy at Return Path’s DMARC check site:stopemailfraud.returnpath.com/dmarc.)
Situations such as this are why not all 1,000 top brands have adopted DMARC, said Steven Jones, executive director of the DMARC organization.
“Not everyone will move forward,” Jones said. “Marketing companies may find that if they’re sending tens of millions of messages and 10,000 are hitting a block, that may not be a big deal. But for a bank, if a couple hundred people aren’t getting the e-mail, they feel, ‘I won’t be comfortable in blocking that.’ ”
Adding DMARC to one’s domain can be tricky. But as an open technology, it’s available to all domain owners.
One company, Dmarcian, offers free tools to translate the daily reports on suspicious e-mails from computer code into English, said Tim Draegen, Dmarcian’s CEO. He is on a mission to help small businesses and domain owners of every size adopt DMARC.
“E-mail is huge, and having any fundamental change takes a long time,” said Draegen, who worked on the original DMARC standard and co-founded e-mail security firm Agari Data. “We are making the tools as simple as pushing a button. People who own domains, they get visibility on how their e-mail domains are being used across the Internet.”
Of course, DMARC is just one piece of the fight against e-mail cybercrime. Consumers still need to be vigilant about opening messages in their inbox.
For now, DMARC won’t block an e-mail from a spoofed domain, like firstname.lastname@example.org. Other e-mail tools, however, will help with that. Google just added a visual lock on messages that don’t support certain encryption.
“What we’re seeing is the bad guys are getting pushed to the margins. And that’s a good thing, because the more you push the bad guys to the margins, the less credible the bait e-mails are. And the less credible, the less people will engage with those,” said Holmes. “We feel pretty good that implementation is leading to a reduction. Ultimately, we want to be in a position where many more companies are supporting DMARC.”
Don’t let phishers fool you
DMARC rejects impersonating e-mails but can’t prevent all malicious messages. Vigilance is key.
• Don’t trust the display name, which shows who sent the e-mail. Anyone can create a sender’s e-mail address with the word cit1b@nk, which is not the same as Citibank. Check the e-mail’s header information for where the e-mail is really coming from.
• Look for good grammar, correct spelling and a complete e-mail. Legitimate messages should include contact information.
• Don’t open attachments, even if you think you know the sender. The sender’s e-mail could be spoofed. Instead, check with the sender separately on whether he or she sent it or whether you knew it was coming.
• Use common sense. Is it your bank urging you to log in with a provided link to fix account information? Don’t click it. Legitimate sources don’t ask you for personal credentials by e-mail. Call or go to your bank’s Website to see whether it sent the e-mail.