Twitter deploys DMARC technology to cut down on credential thefts

News by Dan Raywood

Twitter has deployed technology in an effort to cut down on phishing emails which capture users credentials.

Twitter has deployed technology in an effort to cut down on phishing emails which capture users credentials.

According to a blog post by Twitter's Josh Aberant, it has begun using Domain-based Message Authentication, Reporting, and Conformance (DMARC). According to the Register, this has already been deployed by the likes of Facebook, Google and PayPal and at its heart are DomainKeys Identified Mail (DKIF) and Sender Policy Framework (SPF) mechanisms, which can be used to attach digital signatures to emails and validate their authenticity.

It said that using this mechanism will ‘make it extremely unlikely that most of our users will see any email pretending to be from a address' as it solves long-standing operational, deployment and reporting issues related to email authentication protocols.

Aberant said that building on DKIF and SPF gives email providers a way to block email from forged domains popping up in inboxes. “That in turn lessens the risk users face of mistakenly giving away personal information.

“While this protocol is young, it has already gained significant traction in the email community with all four major email providers – AOL, Gmail, Hotmail/Outlook, and Yahoo! Mail – already on board, rejecting forged emails. We hope to see it gain more coverage for our users as even more email providers adopt it, and that it gives you more peace of mind when you get an email from us.”

DMARC said that its goal is to build on a system of senders and receivers collaborating to improve mail authentication practices of senders and enable receivers to reject unauthenticated message. It said that among its intentions are to minimise false positives and provide robust authentication reporting.

It said: “DMARC is designed to fit into an organisation's existing inbound email authentication process. The way it works is to help email receives determine if the purported message ‘aligns' with what the receiver knows about the sender. If not, DMARC includes guidance on how to handle the ‘non-aligned' messages.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews