And this time, they seem to be serious, joining together these powerhouses:
* Big Internet: Google, Facebook, Microsoft, Yahoo, AOL, LinkedIn etc.
* Big Money (aka financial service providers): Bank of America, Fidelity Investments and PayPal.
* Big Security: Agari, Cloudmark, eCert, Return Path and the Trusted Domain Project
To fight Email Scams, specifically Phishing Scams. Such scams try to trick people into giving away passwords and other personal information by sending emails that look as if they come from a legitimate bank, retailer or other business. When Bank of America customers see emails that appear to come from the bank, they might click on a link that takes them to a fake site mimicking the real Bank of America’s. There, they might enter personal details, which scam artists can capture and use for fraud.
To combat that, 15 major technology and financial companies have formed an organisation to design a system for authenticating emails from legitimate senders and weeding out fakes. The new system is called DMARC – short for Domain-based Message Authentication, Reporting and Conformance. In a nutshell, it is another way (in addition to the SPF and DKIM checking already available) to make sure hat an email is really form the organization that it says it is.
Most Phishing emails pretend to come from a respected institution and it is a simple matter to claimthat the message came from the domain name of the trusted entity. This is the first step in establishing trust – if an email arrives that seems to come from ‘email@example.com’, one’s guard is just that little bit lower.
DMARC aims to prevent those emails from ever arriving by intelligent checking and has a feedback mechanism that alerts the real organization that the event has occured.
It’s not going to stop email from addresses that use obfuscated (firstname.lastname@example.org) or maliciously mis-spelled (email@example.com) or just completely fake email addresses (firstname.lastname@example.org)
…but it’s a start and Scamdex for one applauds it!
More information [than anyone probably needs to know] is available at the DMARC website