|[February 18, 2014]
Prominent Brands Cut Email Abuse by More than 50% with DMARC
SAN JOSE, Calif. --(Business Wire)--
an industry collaborative working to increase consumer trust in email,
published new data demonstrating how DMARC adoption reduces the risks
associated with fraudulent email. Senders, such as Facebook, PayPal (News - Alert), and
Twitter, as well as receivers, such as Google and Microsoft, are seeing
significant reduction in the delivery of malicious emails to consumer
DMARC, which stands for Domain-based Message Authentication, Reporting,
& Conformance, is a specification that defines how email can be
authenticated by receivers and how they can report the authentication
results back to the sender. The specification was published in 2012, and
it is now celebrating its second year of having a positive effect in
protecting consumer inboxes from spoofed email.
Illustrating this trend, PayPal stated that customer reports of
suspicious email dropped in the U.S. by more than 70% during 2013.
Microsoft (News - Alert) also announced that reports of phishing by users of
Outlook.com dropped by more than 50% in 2013 over 2012. These trends
clearly underscore the fact that less malicious email is being delivered
to consumer inboxes, with DMARC being an important contributing factor.
"Implementing DMARC stopped nearly 25 million attempted attacks on our
customers during the 2013 holiday buying season alone," said Trent
Adams, Chair of DMARC.org and Senior Advisor on email security for
PayPal and eBay (News - Alert) Inc. "Not only is DMARC shutting down spoofed domain
attacks, but it has also cut the overall volume of daily attacks in half
While not every mailbox provider has added DMARC protection, users with
email accounts operated by Google, Yahoo, Microsoft, AOL (News - Alert), Comcast,
Netease, Mail.ru, and XS4All are protected today. This covers almost 2
billion accounts worldwide, protecting senders such as Amazon, American
Greetings, DocuSign, Facebook, Fidelity Investments, JP Morgan Chase,
LinkedIn, LivingSocial, PayPal, and Twitter.
As a major mailbox provider, Google has seen how effective implementing
DMARC can be. In December Google reported that over 90% of emails
received by Gmail users are now authenticated by DKIM or SPF, the
underlying authentication mechanisms used by DMARC. Further, they report
that over 80,000 domains have already published policies via DMARC
allowing them to reject unauthenticated messages.
"We are very pleased with the industry adoption of DMARC, and the
positive impact on protecting Gmail's users from spoofing and phishing
attempts," said Google Product Manager John Rae-Grant. "As more of the
industry adopts DMARC, we're increasingly able to reject hundreds of
millions of fraudulent messages each week. This improves our ability to
protect Gmail users and many brands that were previously targeted by
spoofers and phishing attempts. For example, we saw a reduction of 5000%
in the amount of spoofing email claiming to be from a major corporation
during their busiest season after implementing a DMARC reject policy."
"DMARC protects more than 85% of the people who receive email from
Facebook," said Michael Adkins, Production Engineer at Facebook. "That
level of adoption has significantly diminished the financial incentive
for criminals to spoof our domains, so they've moved on to other
targets. People can trust their inboxes more as a result. We're proud to
have been one of the first companies to deploy the DMARC specification
at scale, and we're excited to see so many others achieving great
In the process of deploying DMARC, Twitter first took advantage of its
reporting features to identify the scope of abuse against their domains.
During the first 45 days of initial monitoring, Twitter saw nearly 2.5
billion messages spoofing its domains. The spoofed messages exceeded 110
million per day at their peak. Once Twitter moved to a DMARC "reject"
policy, the number of spoofed messages dropped to only a few thousand
"DMARC was eye-opening for our security team at Twitter," said Josh
Aberant, Postmaster at Twitter. "We found massive amounts of abuse from
both our domains and look alike domains we'd claimed. Using DMARC to
protect these domains and stop forgeries is a core component of how we
protect our users."
"Since the introduction of email, cyber criminals have been hard at work
determining ways to corrupt and exploit this communication channel,"
said Patrick Peterson, founder and CEO of Agari. "The drastic reduction
in attempted email fraud, even across multiple domains, is due primarily
to the protections provided by the DMARC standard. For example, one of
our prominent financial services clients saw spoofing levels drop an
amazing 67% after publishing its DMARC reject policy in the fall of
Return Path, a provider of email brand protection, reports similar
results. "As awareness of DMARC prompts more senders to make the
protection of consumers and brands a priority, Return Path has seen a
130% increase in both clients and domains publishing valid DMARC records
over the last twelve months alone, and that growth is only
accelerating," said Matt Blumberg, CEO of Return Path. "Within the span
of two years DMARC has introduced a sea change in email security, and
the remaining brands that leave themselves and their customers
vulnerable to fraud are taking unacceptable risks."
"In just the last 90 days alone, DMARC has blocked over one hundred
thousand messages across multiple sending domains, helping to protect
the Publishers Clearing House brand and consumers from potential email
threats," said Sal Tripi, Assistant Vice President of Digital Operations
& Compliance at Publishers Clearing House. "We believe that online
businesses have a responsibility to protect users from phishing and
other email abuse. We feel that protecting our members with DMARC is
critical to future success of not only our business, but the vitality of
the online marketplace in general. DMARC allows us to provide
instructions to receivers on how to handle mail received without proper
authentication. The implementation and expansion of DMARC is one of the
most noteworthy developments in the email industry in the last few
Organizations interested in DMARC are encouraged to visit DMARC.org
where there is a comprehensive overview of the technology as well as
links to the specification, discussion lists, and support resources.
DMARC.org (Domain-based Message Authentication, Reporting and
Conformance) is an unincorporated working group made up of many of the
world's leading email providers (AOL, Comcast, Google, NetEase,
Outlook.com, Yahoo! Mail), financial institutions and service providers
(Bank of America, Fidelity Investments, J.P. Morgan Chase, PayPal),
social media properties (American Greetings, Facebook, LinkedIn) and
email security solutions providers (Agari, Cloudmark (News - Alert), Return Path,
Trusted Domain Project). The group is dedicated to developing Internet
standards to reduce the threat of email phishing and to improve
coordination between email providers and mail sender domain owners.
[ InfoTech Spotlight's Homepage ]