Major email providers such as Google (NASDAQ: GOOG), Microsoft (NASDAQ: MSFT) and Yahoo! as well as well-known companies like Facebook and PayPal, are pushing for the widespread adoption of a new specification designed to eliminate phishing. Called DMARC, or Domain-based Message Authentication, Reporting and Conformance, the technical specification attempts to bridge shortcomings in existing systems designed to eliminate phishing in the form of SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).

The heart of the issue is related to how the traditional SMTP protocol used for sending email was designed to accept incoming emails without any provision to validate the identity of the "From" address. This weakness is well known and has been actively exploited by spammers and phishers alike to gain trust by masquerading as well-known brands or personalities.

SPF and DKIM were created to combat this problem, though not universally adopted as yet. Part of the reason is the difficulty of diagnosing misconfigurations and that the addition of footers or even forwarding of email messages will cause rejection by DKIM and SPF, respectively. The result is that "failing one or other test is not a good reason to reject a message," observed Ars Technica.

DMARC attempts to fill in the gaps by storing additional information about how to deal with messages that fail SPF or DKIM within the DNS. This ranges from rejecting messages, quarantining them, or accepting them normally but sending a notification of the error back to the sender.

Safe in the knowledge that a misconfiguration will not necessarily result in business disruption as important emails go missing, one hopes that organizations will be more open to implementing DKIM and SPF. Popular targets of phishers such as PayPal are expected to opt for a more stringent configuration--and experience a substantial reduction in phishing attempts.

Obviously, the effectiveness of DMARC depends on it being adopted by major businesses and email operators. For now, the DMARC group says it plans to submit the specification to the IETF (Internet Engineering Task Force) in the hopes that DMARC could eventually become an industry standard.

For more:
- check out this article at PCWorld
- check out this article at Ars Technica

Related Articles:
Facebook to pass URLs to Websense to detect malicious links
Hacker tries blackmail to get job at Marriott
DRM for flash memory technology to arrive in 2012