API Journal Authors: Elizabeth White, Dana Gardner, Christopher Harrold, Pat Romanski, Yeshim Deniz

News Feed Item

In First Year, DMARC Protects 60 Percent of Global Consumer Mailboxes

SAN JOSE, CA -- (Marketwire) -- 02/06/13 -- DMARC.org, an industry collaborative working to increase email trust, announced today that the DMARC standard now protects almost two-thirds of the world's 3.3 billion consumer mailboxes worldwide. First announced January 2012, DMARC marshals the forces of leading brands and email suppliers to combat rampant email deception and fraud, such as spam and phishing. The mailbox providers who have implemented DMARC represent roughly 80 percent of consumer inboxes in the United States. The standard has also been implemented at leading mailbox providers in the Netherlands, China, and Russia, representing hundreds of millions of mailboxes.

"DMARC is a testimony to private sector and market-driven collaboration to combat a real problem on the Internet," said Trent Adams, chair of DMARC.org and senior policy advisor at PayPal. "The successful adoption of DMARC has been phenomenal. And the effectiveness proves that any brand owner interested in increasing protection of their email stream should deploy DMARC today."

On the sender side, DMARC is seeing wide acceptance, especially by very high-volume mailers. Data provided by DMARC member companies shows that 10 of 20 domains with the highest sending volumes are now implementing DMARC, including many companies beyond the original DMARC.org consortium. The implementation of DMARC by mailbox providers and mail senders is having a measurable impact on consumers -- with more than 325 million messages rejected in November and December 2012 alone, by mailbox providers because they failed the DMARC authentication check.

"Despite being one of the world's largest email senders, we only require a handful of individuals to maintain all of Facebook's email security efforts thanks to DMARC," said Michael Adkins, Messaging Engineer, Facebook. "DMARC's powerful controls protect over 85% of our users from fraudulent email that claims to be from Facebook, and that's after just one year. Add in the visibility and insight provided by DMARC's reporting features and a very small team can have a huge impact on phishing."

DMARC, which stands for Domain-based Message Authentication, Reporting & Conformance, builds on previous email authentication advancements, SPF and DKIM, with strong protection of the author's address (From field) and creating a feedback loop from receivers back to legitimate email senders. This makes impersonation of the author's address difficult for phishers who are trying to send fraudulent email. Brands can use DMARC to easily notify email providers how to recognize and manage fraudulent mail, while also providing a means by which the receiver can report on fraudulent messages to the owner of the spoofed domain. Messages that pass DMARC validation will continue to be evaluated by the mailbox provider to determine ultimate placement of the message according to its spam-detection filters.

DMARC Performance by the Numbers

DMARC successfully addresses concerns that previously hindered widespread adoption and mass deployment of trusted email authentication solutions. The standards-based framework of DMARC establishes a foundational feedback loop so email senders and receivers communicate automatically about potential abuse. As more senders embrace DMARC, global protection against fraudulent email will continue to increase. Compelling data reported by Trend Micro, claims that 91 percent of targeted attacks involve highly tailored spear-phishing emails (http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-spear-phishing-email-most-favored-apt-attack-bait.pdf). Senders can use DMARC to defend their brands against becoming a vector of attack.

In its first year, DMARC:

  • Protects 60 percent of the world's email boxes or 1.976 billion of the estimated 3.3 billion email boxes worldwide. (http://www.email-marketing-reports.com/metrics/email-statistics.htm)

  • Has been adopted by the world's largest consumer email providers- AOL, Comcast, Google, Mail.ru, Microsoft, NetEase, Xs4All, and Yahoo!.

  • Can claim 50 percent of the top 20 sending domains publish a DMARC policy, with 70 percent of those domains asserting a policy that directs receivers to take action against unauthenticated messages.

  • Sender adoption exceeds the original DMARC.org membership, with 60 percent of the top sending domains publishing policy coming from companies not directly affiliated with DMARC.org.

  • Rejected hundreds of millions of potentially fraudulent messages from domains publishing a DMARC reject policy. As an example, in November and December 2012, more than 325 million messages were rejected as purporting to be "From" domains with a DMARC reject policy. Of those messages, 49 million were from highly phished domains*.

  • Protects 80 percent of US typical consumer mailboxes.

* Highly phished domains = Domains with a DMARC reject policy and more than 10 percent of all messages purporting to be from that domain failing authentication checks.

Service Providers Embrace DMARC

Mailbox providers who have deployed DMARC include AOL, Comcast, Google, Mail.ru, Microsoft, NetEase, Xs4All, and Yahoo!.

"DMARC implementation is of utmost importance to Microsoft as we protect our millions of email users against phishing and online fraud. At Microsoft, we want our users to be able to trust messages that appear in their inbox. The increasing global adoption is a cumulative effect; the more email sending brands that use DMARC, the broader the protection offered against phishing," said Krish Vitaldevara, Outlook.com's principal group program manager.

"We are excited with how quickly DMARC has been adopted in China, and we are pleased to be part of the effort," said Junping Chen, Senior Mail Security Officer at NetEase. "NetEase had more than 530 million mailbox users at the end of 2012 and is the first DMARC implementer in China. We estimate that DMARC protection already applies to over 50 percent of all Chinese consumer mailboxes, and adoption is accelerating."

"DMARC has reduced the risk of phishing for Gmail users by enabling us to effectively reject suspicious, unauthenticated messages that come from DMARC senders with a reject policy," said Adam Dawes, Product Manager at Google. "This capability gives users instant protection against zero hour phishing attacks and provides better assurance that spam classifications are accurate."

"Every day, email users are potentially exposed to a wide range of abusive emails -- from spam, to phishing attacks, to potential malware that can take over a computer. To combat this abuse, Yahoo! helped create the DMARC specification which now helps us recognize and prevent forged or spoofed emails from reaching our users," said Raj Ramaswamy, senior director, Yahoo! Mail. "We're encouraged to see the rapid global adoption of DMARC because it will keep all email users safer."

"DMARC helps protect AOL users from fraud and phishing attacks, which in turn helps our users trust the email they see in their inbox. After year one, we are seeing positive results from these efforts," said Jim Sargent, Anti-Spam Technology Development and Operations Manager, AOL. "AOL is proud to be a DMARC.org founding member and we see worldwide support for the standard. It's very gratifying to see the growth, expansion and innovation possible now with DMARC enabling greater trust in the email channel."

Leading Brands Rely on DMARC to Preserve Reputation and Protect Constituents

Brands, or email senders, have accelerated DMARC adoption. Compelled to ensure their brands' integrity with consumers, brands employ DMARC to ensure the authenticity of their emails and guard millions of would-be targets from popular phishing schemes that attempt to exploit them.

Leading brands across industry use DMARC, including Amazon, American Greetings, Apple, Bank of America, Blizzard Entertainment, Booking.com, eBay, Facebook, FedEx, Fidelity Investments, Google, Groupon, JP Morgan Chase, LinkedIn, LivingSocial, Netflix, PayPal, Tagged, Twitter, Western Union, Yelp, YouTube, and Zynga.**

** Brands in this list have been identified by publicly discoverable DMARC records available in the DNS.

Industry experts have embraced DMARC as a market-driven solution to secure the email channel against phishing and fraud. Active contributors participate through the open DMARC-Discuss email group (http://www.dmarc.org/participate.html). ISPs, brands, and security vendors collaboratively address issues and share information regarding the specification. This participation, combined with the DMARC Interoperability Workshop held at Facebook headquarters in July 2012, and global operational experience has continued to improve the specification in the past year.

Industry Associations Promote DMARC Awareness and Adoption

Leading industry groups have embraced DMARC and encourage their member companies to use DMARC to protect their brands and their audiences against nefarious phishing scams. The Financial Services - Information Sharing and Analysis Center (FS-ISAC), BITS - The Financial Services Round Table, and the Online Trust Alliance (OTA) have joined the DMARC.org efforts to benefit those most targeted by phishing.

The Messaging, Mobile, & Malware Anti-Abuse Working Group (M3AAWG) was instrumental in helping to incubate the DMARC specification, as well as providing ongoing education to its members and the public. As a commitment to the email ecosystem, they released a free video training series published on February 4th (http://www.maawg.org).

"M3AAGW has been supporting the development of DMARC since its inception at our M3AAWG meetings as part of our mission to combat messaging abuse," said Jerry Upton, M3AAWG Executive Director. "In addition, the DMARC training sessions we've hosted over the last year have all exceeded capacity, indicating the industry's high level of interest for this new, exceptionally useful technology."

Founded in 2004 to advance the business and brand protection value of email authentication, OTA provides ongoing education by way of its Email Authentication Training Academy, Email Authentication Deployment Guide for Senders, and annual adoption scorecard tracking adoption of the world's largest banks, commerce sites and social network sites (https://otalliance.org/resources/authentication/index.html). Supporting its commitment to education, OTA is hosting a series of DMARC Webinars planned for February 12th and 18th (https://otalliance.org/events/index.html).

"DMARC brings together the business and technical value and is on track to be a baseline security requirement and essential brand and consumer protection tool. Brands which fail to implement DMARC at their top-level domain are putting their customers and employees at an unacceptable risk to the spread of fraudulent and malicious email," said Craig Spiezle, Executive Director & President of OTA.

BITS is publishing an Email Authentication Guide to its members and supports the effort by offering a Trusted Email Registry program for its members that includes DMARC support.

"Even as other communication channels are gaining momentum, email remains a well-used, established communication channel for consumers. Unfortunately, it also remains a mechanism used by cyber criminals to lure victims into providing private information or to implant malicious software. Email authentication is critical to protect consumers from harm and potential fraud," said Paul Smocer, BITS president. "BITS is pleased to provide ongoing support to DMARC as it progresses its efforts in bringing stakeholders together -- email and service providers with financial institutions -- to enable email senders and receivers to collaborate via DMARC specifications for strong email authentication. These efforts will help all consumers and in particular, customers of financial services institutions."

Interested organizations are encouraged to read the specification, join the dmarc-discuss mailing list at www.dmarc.org, and begin testing and deploying email authentication standards SPF, DKIM, and DMARC. DMARC.org members will be participating in discussions about the specification at MAAWG and RSA conferences in February. See www.dmarc.org for details.

About DMARC.org
DMARC.org (Domain-based Message Authentication, Reporting and Conformance) is an unincorporated working group made up of many of the world's leading email providers (AOL, Comcast, Google, Hotmail, NetEase, Yahoo! Mail), financial institutions and service providers (Bank of America, Fidelity Investments, J.P. Morgan Chase, PayPal), social media properties (American Greetings, Facebook, LinkedIn) and email security solutions providers (Agari, Cloudmark, Return Path, Trusted Domain Project). The group is dedicated to developing Internet standards to reduce the threat of email phishing and to improve coordination between email providers and mail sender domain owners.

The DMARC specification and further information can be found at www.dmarc.org.

Add to Digg Bookmark with del.icio.us Add to Newsvine

Media Contact:
Suzanne Matick
for DMARC.org
suzanne [at] matick.net
831-479-1888 Pacific time zone

More Stories By Marketwired .

Copyright © 2009 Marketwired. All rights reserved. All the news releases provided by Marketwired are copyrighted. Any forms of copying other than an individual user's personal reference without express written permission is prohibited. Further distribution of these materials is strictly forbidden, including but not limited to, posting, emailing, faxing, archiving in a public database, redistributing via a computer network or in a printed form.

@ThingsExpo Stories
Intelligent machines are here. Robots, self-driving cars, drones, bots and many IoT devices are becoming smarter with Machine Learning. In her session at @ThingsExpo, Sudha Jamthe, CEO of IoTDisruptions.com, will discuss the next wave of business disruption at the junction of IoT and AI, impacting many industries and set to change our lives, work and world as we know it.
SYS-CON Events announced today that Enzu will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Enzu’s mission is to be the leading provider of enterprise cloud solutions worldwide. Enzu enables online businesses to use its IT infrastructure to their competitive advantage. By offering a suite of proven hosting and management services, Enzu wants companies to focus on the core of their online busine...
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
The Open Connectivity Foundation (OCF), sponsor of the IoTivity open source project, and AllSeen Alliance, which provides the AllJoyn® open source IoT framework, today announced that the two organizations’ boards have approved a merger under the OCF name and bylaws. This merger will advance interoperability between connected devices from both groups, enabling the full operating potential of IoT and representing a significant step towards a connected ecosystem.
November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Penta Security is a leading vendor for data security solutions, including its encryption solution, D’Amo. By using FPE technology, D’Amo allows for the implementation of encryption technology to sensitive data fields without modification to schema in the database environment. With businesses having their data become increasingly more complicated in their mission-critical applications (such as ERP, CRM, HRM), continued ...
SYS-CON Events announced today that Embotics, the cloud automation company, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Embotics is the cloud automation company for IT organizations and service providers that need to improve provisioning or enable self-service capabilities. With a relentless focus on delivering a premier user experience and unmatched customer support, Embotics is the fas...
SYS-CON Events announced today that Cloudbric, a leading website security provider, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Cloudbric is an elite full service website protection solution specifically designed for IT novices, entrepreneurs, and small and medium businesses. First launched in 2015, Cloudbric is based on the enterprise level Web Application Firewall by Penta Security Sys...
Smart Cities are here to stay, but for their promise to be delivered, the data they produce must not be put in new siloes. In his session at @ThingsExpo, Mathias Herberts, Co-founder and CTO of Cityzen Data, will deep dive into best practices that will ensure a successful smart city journey.
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, will discuss the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
SYS-CON Events announced today that MathFreeOn will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. MathFreeOn is Software as a Service (SaaS) used in Engineering and Math education. Write scripts and solve math problems online. MathFreeOn provides online courses for beginners or amateurs who have difficulties in writing scripts. In accordance with various mathematical topics, there are more tha...
Successful digital transformation requires new organizational competencies and capabilities. Research tells us that the biggest impediment to successful transformation is human; consequently, the biggest enabler is a properly skilled and empowered workforce. In the digital age, new individual and collective competencies are required. In his session at 19th Cloud Expo, Bob Newhouse, CEO and founder of Agilitiv, will draw together recent research and lessons learned from emerging and established ...
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, will discuss how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team a...
Virgil consists of an open-source encryption library, which implements Cryptographic Message Syntax (CMS) and Elliptic Curve Integrated Encryption Scheme (ECIES) (including RSA schema), a Key Management API, and a cloud-based Key Management Service (Virgil Keys). The Virgil Keys Service consists of a public key service and a private key escrow service. 

@ThingsExpo has been named the Top 5 Most Influential Internet of Things Brand by Onalytica in the ‘The Internet of Things Landscape 2015: Top 100 Individuals and Brands.' Onalytica analyzed Twitter conversations around the #IoT debate to uncover the most influential brands and individuals driving the conversation. Onalytica captured data from 56,224 users. The PageRank based methodology they use to extract influencers on a particular topic (tweets mentioning #InternetofThings or #IoT in this ...
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smar...
Web Real-Time Communication APIs have quickly revolutionized what browsers are capable of. In addition to video and audio streams, we can now bi-directionally send arbitrary data over WebRTC's PeerConnection Data Channels. With the advent of Progressive Web Apps and new hardware APIs such as WebBluetooh and WebUSB, we can finally enable users to stitch together the Internet of Things directly from their browsers while communicating privately and securely in a decentralized way.
With an estimated 50 billion devices connected to the Internet by 2020, several industries will begin to expand their capabilities for retaining end point data at the edge to better utilize the range of data types and sheer volume of M2M data generated by the Internet of Things. In his session at @ThingsExpo, Don DeLoach, CEO and President of Infobright, discussed the infrastructures businesses will need to implement to handle this explosion of data by providing specific use cases for filterin...
In past @ThingsExpo presentations, Joseph di Paolantonio has explored how various Internet of Things (IoT) and data management and analytics (DMA) solution spaces will come together as sensor analytics ecosystems. This year, in his session at @ThingsExpo, Joseph di Paolantonio from DataArchon, will be adding the numerous Transportation areas, from autonomous vehicles to “Uber for containers.” While IoT data in any one area of Transportation will have a huge impact in that area, combining sensor...
Ask someone to architect an Internet of Things (IoT) solution and you are guaranteed to see a reference to the cloud. This would lead you to believe that IoT requires the cloud to exist. However, there are many IoT use cases where the cloud is not feasible or desirable. In his session at @ThingsExpo, Dave McCarthy, Director of Products at Bsquare Corporation, will discuss the strategies that exist to extend intelligence directly to IoT devices and sensors, freeing them from the constraints of ...