SYS-CON MEDIA Authors: Pat Romanski, Sean Houghton, Glenn Rossman, Ignacio M. Llorente, Xenia von Wedel

News Feed Item

Prominent Brands Cut Email Abuse by More than 50% with DMARC

DMARC.org, an industry collaborative working to increase consumer trust in email, published new data demonstrating how DMARC adoption reduces the risks associated with fraudulent email. Senders, such as Facebook, PayPal, and Twitter, as well as receivers, such as Google and Microsoft, are seeing significant reduction in the delivery of malicious emails to consumer inboxes.

DMARC, which stands for Domain-based Message Authentication, Reporting, & Conformance, is a specification that defines how email can be authenticated by receivers and how they can report the authentication results back to the sender. The specification was published in 2012, and it is now celebrating its second year of having a positive effect in protecting consumer inboxes from spoofed email.

Illustrating this trend, PayPal stated that customer reports of suspicious email dropped in the U.S. by more than 70% during 2013. Microsoft also announced that reports of phishing by users of Outlook.com dropped by more than 50% in 2013 over 2012. These trends clearly underscore the fact that less malicious email is being delivered to consumer inboxes, with DMARC being an important contributing factor.

“Implementing DMARC stopped nearly 25 million attempted attacks on our customers during the 2013 holiday buying season alone,” said Trent Adams, Chair of DMARC.org and Senior Advisor on email security for PayPal and eBay Inc. “Not only is DMARC shutting down spoofed domain attacks, but it has also cut the overall volume of daily attacks in half since 2012.”

While not every mailbox provider has added DMARC protection, users with email accounts operated by Google, Yahoo, Microsoft, AOL, Comcast, Netease, Mail.ru, and XS4All are protected today. This covers almost 2 billion accounts worldwide, protecting senders such as Amazon, American Greetings, DocuSign, Facebook, Fidelity Investments, JP Morgan Chase, LinkedIn, LivingSocial, PayPal, and Twitter.

As a major mailbox provider, Google has seen how effective implementing DMARC can be. In December Google reported that over 90% of emails received by Gmail users are now authenticated by DKIM or SPF, the underlying authentication mechanisms used by DMARC. Further, they report that over 80,000 domains have already published policies via DMARC allowing them to reject unauthenticated messages.

"We are very pleased with the industry adoption of DMARC, and the positive impact on protecting Gmail's users from spoofing and phishing attempts," said Google Product Manager John Rae-Grant. "As more of the industry adopts DMARC, we're increasingly able to reject hundreds of millions of fraudulent messages each week. This improves our ability to protect Gmail users and many brands that were previously targeted by spoofers and phishing attempts. For example, we saw a reduction of 5000% in the amount of spoofing email claiming to be from a major corporation during their busiest season after implementing a DMARC reject policy."

"DMARC protects more than 85% of the people who receive email from Facebook," said Michael Adkins, Production Engineer at Facebook. "That level of adoption has significantly diminished the financial incentive for criminals to spoof our domains, so they've moved on to other targets. People can trust their inboxes more as a result. We're proud to have been one of the first companies to deploy the DMARC specification at scale, and we're excited to see so many others achieving great results."

In the process of deploying DMARC, Twitter first took advantage of its reporting features to identify the scope of abuse against their domains. During the first 45 days of initial monitoring, Twitter saw nearly 2.5 billion messages spoofing its domains. The spoofed messages exceeded 110 million per day at their peak. Once Twitter moved to a DMARC “reject” policy, the number of spoofed messages dropped to only a few thousand within days.

"DMARC was eye-opening for our security team at Twitter,” said Josh Aberant, Postmaster at Twitter. “We found massive amounts of abuse from both our domains and look alike domains we'd claimed. Using DMARC to protect these domains and stop forgeries is a core component of how we protect our users."

“Since the introduction of email, cyber criminals have been hard at work determining ways to corrupt and exploit this communication channel,” said Patrick Peterson, founder and CEO of Agari. “The drastic reduction in attempted email fraud, even across multiple domains, is due primarily to the protections provided by the DMARC standard. For example, one of our prominent financial services clients saw spoofing levels drop an amazing 67% after publishing its DMARC reject policy in the fall of 2013.”

Return Path, a provider of email brand protection, reports similar results. “As awareness of DMARC prompts more senders to make the protection of consumers and brands a priority, Return Path has seen a 130% increase in both clients and domains publishing valid DMARC records over the last twelve months alone, and that growth is only accelerating,” said Matt Blumberg, CEO of Return Path. “Within the span of two years DMARC has introduced a sea change in email security, and the remaining brands that leave themselves and their customers vulnerable to fraud are taking unacceptable risks.”

"In just the last 90 days alone, DMARC has blocked over one hundred thousand messages across multiple sending domains, helping to protect the Publishers Clearing House brand and consumers from potential email threats," said Sal Tripi, Assistant Vice President of Digital Operations & Compliance at Publishers Clearing House. "We believe that online businesses have a responsibility to protect users from phishing and other email abuse. We feel that protecting our members with DMARC is critical to future success of not only our business, but the vitality of the online marketplace in general. DMARC allows us to provide instructions to receivers on how to handle mail received without proper authentication. The implementation and expansion of DMARC is one of the most noteworthy developments in the email industry in the last few years.”

Organizations interested in DMARC are encouraged to visit DMARC.org where there is a comprehensive overview of the technology as well as links to the specification, discussion lists, and support resources.

About DMARC.org

DMARC.org (Domain-based Message Authentication, Reporting and Conformance) is an unincorporated working group made up of many of the world’s leading email providers (AOL, Comcast, Google, NetEase, Outlook.com, Yahoo! Mail), financial institutions and service providers (Bank of America, Fidelity Investments, J.P. Morgan Chase, PayPal), social media properties (American Greetings, Facebook, LinkedIn) and email security solutions providers (Agari, Cloudmark, Return Path, Trusted Domain Project). The group is dedicated to developing Internet standards to reduce the threat of email phishing and to improve coordination between email providers and mail sender domain owners.

More Stories By Business Wire

Copyright © 2009 Business Wire. All rights reserved. Republication or redistribution of Business Wire content is expressly prohibited without the prior written consent of Business Wire. Business Wire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories

ARMONK, N.Y., Nov. 20, 2014 /PRNewswire/ --  IBM (NYSE: IBM) today announced that it is bringing a greater level of control, security and flexibility to cloud-based application development and delivery with a single-tenant version of Bluemix, IBM's

SYS-CON Events announced today that IDenticard will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. IDenticard™ is the security division of Brady Corp (NYSE: BRC), a $1.5 billion manufacturer of identification products. We have small-company values with the strength and stability of a major corporation. IDenticard offers local sales, support and service to our customers across the United States and Canada...
The cloud is becoming the de-facto way for enterprises to leverage common infrastructure while innovating and one of the biggest obstacles facing public cloud computing is security. In his session at 15th Cloud Expo, Jeff Aliber, a global marketing executive at Verizon, discussed how the best place for web security is in the cloud. Benefits include: Functions as the first layer of defense Easy operation –CNAME change Implement an integrated solution Best architecture for addressing network-l...
SYS-CON Events announced today that AIC, a leading provider of OEM/ODM server and storage solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. AIC is a leading provider of both standard OTS, off-the-shelf, and OEM/ODM server and storage solutions. With expert in-house design capabilities, validation, manufacturing and production, AIC's broad selection of products are highly flexible and are conf...
“We help people build clusters, in the classical sense of the cluster. We help people put a full stack on top of every single one of those machines. We do the full bare metal install," explained Greg Bruno, Vice President of Engineering and co-founder of StackIQ, in this SYS-CON.tv interview at 15th Cloud Expo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Leysin American School is an exclusive, private boarding school located in Leysin, Switzerland. Leysin selected an OpenStack-powered, private cloud as a service to manage multiple applications and provide development environments for students across the institution. Seeking to meet rigid data sovereignty and data integrity requirements while offering flexible, on-demand cloud resources to users, Leysin identified OpenStack as the clear choice to round out the school's cloud strategy. Additional...
DevOps Summit 2015 New York, co-located with the 16th International Cloud Expo - to be held June 9-11, 2015, at the Javits Center in New York City, NY - announces that it is now accepting Keynote Proposals. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete...
“DevOps is really about the business. The business is under pressure today, competitively in the marketplace to respond to the expectations of the customer. The business is driving IT and the problem is that IT isn't responding fast enough," explained Mark Levy, Senior Product Marketing Manager at Serena Software, in this SYS-CON.tv interview at DevOps Summit, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Mobile commerce traffic is surpassing desktop, yet less than 20% of sales in the U.S. are mobile commerce sales. In his session at 15th Cloud Expo, Dan Franklin, Segment Manager, Commerce, at Verizon Digital Media Services, defined mobile devices and discussed how next generation means simplification. It means taking your digital content and turning it into instantly gratifying experiences.
“In the past year we've seen a lot of stabilization of WebRTC. You can now use it in production with a far greater degree of certainty. A lot of the real developments in the past year have been in things like the data channel, which will enable a whole new type of application," explained Peter Dunkley, Technical Director at Acision, in this SYS-CON.tv interview at @ThingsExpo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that Windstream, a leading provider of advanced network and cloud communications, has been named “Silver Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. Windstream (Nasdaq: WIN), a FORTUNE 500 and S&P 500 company, is a leading provider of advanced network communications, including cloud computing and managed services, to businesses nationwide. The company also offers broadband, p...
The major cloud platforms defy a simple, side-by-side analysis. Each of the major IaaS public-cloud platforms offers their own unique strengths and functionality. Options for on-site private cloud are diverse as well, and must be designed and deployed while taking existing legacy architecture and infrastructure into account. Then the reality is that most enterprises are embarking on a hybrid cloud strategy and programs. In this Power Panel at 15th Cloud Expo (http://www.CloudComputingExpo.com...
Verizon Enterprise Solutions is simplifying the cloud-purchasing experience for its clients, with the launch of Verizon Cloud Marketplace, a key foundational component of the company's robust ecosystem of enterprise-class technologies. The online storefront will initially feature pre-built cloud-based services from AppDynamics, Hitachi Data Systems, Juniper Networks, PfSense and Tervela. Available globally to enterprises using Verizon Cloud, Verizon Cloud Marketplace provides a one-stop shop fo...
The Internet of Things is not new. Historically, smart businesses have used its basic concept of leveraging data to drive better decision making and have capitalized on those insights to realize additional revenue opportunities. So, what has changed to make the Internet of Things one of the hottest topics in tech? In his session at @ThingsExpo, Chris Gray, Director, Embedded and Internet of Things, discussed the underlying factors that are driving the economics of intelligent systems. Discover ...
The move in recent years to cloud computing services and architectures has added significant pace to the application development and deployment environment. When enterprise IT can spin up large computing instances in just minutes, developers can also design and deploy in small time frames that were unimaginable a few years ago. The consequent move toward lean, agile, and fast development leads to the need for the development and operations sides to work very closely together. Thus, DevOps become...