The PayPal Product and Ecosystem Security Team is pleased to announce that on March 18, 2015, the Internet Engineering Task Force (IETF) published RFC 7489 for Domain-based Message Authentication Reporting and Conformance (DMARC).
Starting in 2009, PayPal began work with several major mailbox providers to explore the effectiveness of combining common email authentication technologies in order to improve their effectiveness. Soon, other companies sharing our need to secure email as a trusted channel of communication joined the collaboration. In 2011, the experimental solution was proven effective at combatting spoofed domain email attacks, those types of attacks where the malicious actor intentionally tries to send email masquerading as coming from another domain. At this point, the group made the DMARC specification available to the public. As a review of the 3rd year since it was made public, we detailed DMARC’s broadening adoption and performance in a post on our PayPal Forward on February 18, 2015.
DMARC is essentially a policy layer that builds on top of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Taken together, SPF (server authorization), DKIM (message integrity), and DMARC form a robust system designed to authenticate email has having been sent from or on behalf of the claimed domain. Further, DMARC enables senders to tell receivers what to do when a message fails to authenticate and requests that receivers send information back to senders about those failures. DMARC’s policies are published in the public DNS and are available for anyone to use. The system removes guesswork from the receiver’s detection of spoofed domain messages, how to handle them, and nearly eliminates the user’s exposure to potentially fraudulent & harmful messages spoofing a protected domain.
While the work to review and update the specification will continue as needed via the IETF DMARC Work Group, the publication of RFC 7489 was a critical step in developing a stable reference point for DMARC’s credibility. Steps like this illustrate our commit to, and the value of, open standards to protect email as a trusted means of communication.
For more technical information: