RSA 2015: It's end of days for email forgers claim DMARC champions

The death of email has not come to pass, thanks to email authentication schemes
The death of email has not come to pass, thanks to email authentication schemes

The death of email, widely anticipated 10 years ago, has not come to pass, thanks to email authentication schemes such as SPF, DKIM and most recently DMARC.

That was the message at the RSA Conference this morning (Wednesday) at an RSA  panel discussion called “Curbing email threats and spear-phishing – the promise and results of DMARC”.

John Scarrow, general manager for safety services, Microsoft, said that email hasn't died because it's more secure than it was 10 years ago, but CISOs must be aware that the criminals are responding by making their attacks more finely tuned.

Patrick Peterson, CEO of Agari, warned that more criminals are using the “1-2 punch”, stealing personal details from third parties and then going back to phish the users for more personal details and credit card details. But because credit card details get stale quite quickly, there was actually more incentive for them to get as many personal details as possible, including dates of birth and national ID numbers.

However, the consensus of the panel was that DMARC was having a positive impact on deceptive and forged email.
Craig Spiezle, executive director and president, Online Trust Alliance, told SCMagazineUK.com that companies were getting a better understanding of what's happening with their email domains and their mail stream than they've ever had before thanks to DMARC.

DMARC is a standard that was developed by some of the major internet brands such as PayPal, Yahoo!, Microsoft and Google to authenticate email domains. It was published in 2012 and was widely adopted within a year.

Spiezle became involved in the quest for an email authentication system, which would ultimately evolve into DMARC, when he was postmaster at Hotmail in 2003. Much of the work he did then would lead to the formation of the Online Trust Alliance, an initiative for which he was awarded the Editor's Choice Award at the SC Awards US last night.
He concedes that it was a challenge to get organisations to cooperate in those early days but the business value and over-riding need to solve the forged email problem was a powerful motivation.

J Trent Adams, internet security analyst, PayPal, told SC that the success of DMARC has to do with the ease of implementation and the rapid payoff in reducing email domain abuse.

“Within one year of [publishing], we went from 35 percent coverage out of the gate… to over 80 percent customer inbox coverage,” he said. “This was in a single year which essentially told us that there is real value here. Two things were going on here: it's really simple to deploy and it provided immediate value with DMARC reporting.”

To activate DMARC, all you need to do is add a DMARC record to your DNS and provide an email address to which to report. Policies can be adjusted through the DMARC record to instruct mailbox providers how to filter unauthenticated email from your domain, with options to switch between reporting only, quarantine and rejection.

The success of DMARC in the past few years has been proven by its widespread adoption and success rate but the standard is not quite finalised. Adams told SC that there is a technical issue that needs to be resolved to allow certain intermediaries such as mail forwarders to authenticate email on behalf of the originating domain.

“When someone on the other side gets that message, like at a Gmail account or something, they get that and the authentication is broken. Because they are not getting it directly from me, they are getting it from an intermediary so they are trying to authenticate it to me but it's breaking – as it should, by design,” he said.

If they can resolve this technical issue, it's likely that many mailbox providers will more strictly enforce DMARC policies and more aggressively screen non-authenticated email, he said.

“We are going to move into a world where there is no reason not to authenticate your email,” he said.

Sign up to our newsletters