Microsoft, Google, Facebook, PayPal and others have announced a new joint effort to combat spam and phishing.
DMARC.org has created a draft specification for a system that creates a feedback loop between legitimate email senders and receivers, making impersonation more difficult.
“Email phishing defrauds millions of people and companies every year, resulting in a loss of consumer confidence in email and the internet as a whole,” says Brett McDowell, chair of DMARC.org and senior manager of customer security initiatives at PayPal.
“Industry cooperation – combined with technology and consumer education – is crucial to fight phishing.”
Today, there’s no reliable way for receivers of emails to tell whether a sender is using standards like SPF and DKIM to authenticate their messages. As a result, providers need to rely on complex and imperfect measurements to separate legitimate unauthenticated messages sent by the domain owner from fraudulent phishing messages sent by a scammer.
The aim of the new standard is to make it easier for email senders to incorporate authentication technologies, for example by setting policies to request a provider to discard unauthenticated email.
The specification also creates a mechanism for email providers to send detailed reports back to senders to help find any holes in the authentication system.
The next step is to test the technology in practice, after which DMARC.org says it will submit its spec to the Internet Engineering Task Force for approval.
There’s more information here.