DMARC Goes Live

Yesterday, dmarc.org released the new DMARC standard for email.  Contributors to the DMARC standard include Agari, American Greetings, AOL, Bank of America, Cloudmark, Comcast, Facebook, Fidelity Investments, Google, LinkedIn, Microsoft, PayPal, Return Path, TDP, and Yahoo!.

DMARC stands for “Domain-based Message Authentication, Reporting & Conformance.”  DMARC provides important extensions to the existing email authentication standards by providing automated and standardized methods to process messages that fail email authentication. DMARC explains the significance of this enhancement:

A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.

Let’s look at an example. If a phisher spoofs “paypal.com”, the real email address of PayPal, the bad guy cannot send email from PayPal’s email servers. Because the bad guy can’t use the real email servers, the fake paypal.com email will fail authentication. Before DMARC, webmail services such as Hotmail, Yahoo! Mail, AOL, Mail and Gmail lacked a systematic way for senders to tell them what to do with emails that failed authentication. This is where DMARC comes into play. If PayPal is using DMARC, webmail providers will know that PayPal wants them to reject the fake “paypal.com” email.

Let’s look at another example. What does DMARC do if a phisher uses a deceptive email address instead of “paypal.com”?  Consider the example of paypa1.com, where the last letter is really the number one instead of the letter el. Because the deceptive domain is not paypal.com, the deceptive domain is not governed by the authentication records of the paypal.com or the DMARC instructions for paypal.com. The authentication records and DMARC instructions for paypal.com govern only paypal.com and not the other hundreds of millions of domains that exist and will be created. DMARC will have no impact on paypa1.com emails.

While DMARC can deny bad guys the use of the actual domains of trusted senders, DMARC cannot stop bad guys from using domains that are not the actual domains of trusted senders. DMARC will not stop pay-pal.com, fasebook.com, or the myriad of other deceptive domains that bad guys will dream up. DMARC is useful because it:

• allows senders to specify handling policies about messages that fail authentication, and
• provides feedback that can help senders improve their authentication accuracy,

but it only addresses one of many doors that phishers use to get into the inbox.

To deal with all the doors leading to your inbox , you need more. You need a service that can distinguish real from fake for leading consumer brands, regardless of the methods that phishers use. You need eMail ID from Iconix.

Know Who. No Doubt. Use eMail ID.

Iconix Goes Dutch

Maarten Oelering, an IT Consultant and Email Delivery Expert in Holland, noted in a tweet today that Marktplaats (NL) is now sending with DKIM and supporting the Iconix trust icon.  Marktplaats is a Dutch affiliate of eBay.

You can check out our Marktplaats experience at http://www.iconix.com/locale/nl/marktplaats/

Iconix Whitepaper – Getting More From Email Authentication

Today Iconix released a whitepaper entitled, “Getting More From Email Authentication.”

As the whitepaper describes, Email authentication is a technical means of identifying the sender of email.  When a sender uses email authentication, a public record is created that that can be used by the recipient to verify the identity of the sender.  However, email authentication is a self-issued credential.  The owner of phishing.com can authenticate its email.  Email authentication alone does not solve the problem of bad guys pretending to be good guys.  Email authentication is used by email filtering systems as an important spam indicator.  Unauthenticated email is suspect and is less likely to be delivered.  Additionally, by combining the identity of the sending server (which is determined using email authentication) with email reputation data from vendors such as Return Path, spam filters can be fine-tuned to do a better job of delivering messages that users want.  

Email authentication can help senders get their email into the inbox, but the delivered message looks like all the other messages – lost in a sea of text that makes it hard to find.  Recipients want to find emails of interest that are lost sea of text.  And when they find it, they want to know it’s real!  That is where Iconix comes in.

 

Just as you distinguish your goods and services with your trademark, you can now distinguish email you send using the Truemark® service from Iconix.  Using patented and patent pending extensions of email authentication, Iconix marks your email so that your recipients can instantly recognize your messages in the inbox.

To learn more, visit us at http://iconix.com/business/.

Iconix Issued Fourth U.S. Patent for Email

ICONIX, Inc., the industry leader in visual email solutions, announced that the United States Patent and Trademark Office has issued Iconix’s fourth patent titled
“E-MAIL MESSAGE AUTHENTICATION AND MARKING EXTENDING STANDARDS COMPLAINT TECHNIQUES.”

The abstract for U.S. Patent 7,801,961, dated September 21, 2010, states: “A system and method for e-mail authentication. The method includes aggregating a plurality of headers associated with an e-mail message and transmitting the aggregated plurality of headers to a validation service. A validation response is then received from the validation service. The e-mail is authenticated based on the validation response.” Iconix filed the patent on May 9, 2008.

“Among other things, various claims of this patent address using standards-based authentication, such as SPF and DKIM, to provide email recipients with visual indications of the integrity of the sender,” said Jeff Wilbur, vice-president of marketing at ICONIX. “In accordance with one aspect of the inventions covered within the patent, giving consumers visual indications of emails’ integrity allows consumers to easily distinguish real email from fake email in their inboxes.”

“The focus of our Online Trust and Cybersecurity Forum in Washington, D.C. is to educate businesses, government organizations and consumer advocacy groups regarding best practices and the latest technologies to ensure safer online experiences,” said Craig Spiezle, Executive Director of the Online Trust Alliance. “The technology delivered by ICONIX in this patent is exactly the type of innovation that helps increase consumer trust in online activity.”

You can read the entire press release here:  http://www.iconix.com/corp/pr-20100922.php

Trend Micro Partners with Iconix to Deliver Visual ID for Email

Trend Micro, a global leader in Internet content security, and Iconix, Inc., an industry leader in visual email solutions, announced that Trend Micro will offer a branded version of the Iconix eMail ID solution, worldwide through its service provider partners.

Trend Micro eMail ID Truemark Service marks legitimate email messages with the sender’s logo. With this service, email recipients can instantly find messages they care about, and more readily avoid phishing attacks and other malicious email. At the same time, senders of email — including financial services, governments and healthcare organizations — can help better protect their brand from spoofing, and ensure higher response rates.

The new service, targeted to both enterprises and service providers, marks legitimate outgoing emails with a distinct graphic that is unique to its sender. It works with most major email programs so that end users can avoid fake messages and find the legitimate ones quickly and respond to them immediately. eMail ID Truemark Service complements other Trend Micro tools and products by operating directly in the email client.

“Besides being an annoyance, spam costs organizations irreplaceable time and money,” said Wael Mohamed, senior vice president, global alliances, Trend Micro. “Trend Micro is serious about protecting customers from these dangers, and our core technologies have been top-rated in anti-spam and anti-malware. Our partnership with Iconix complements this leadership, and helps us better protect enterprises and their brands, while helping save time and costs.”

“With our product, email recipients can easily tell real from fake email, for thousands of senders,” said Bill Ames, vice president of sales for Iconix. “We’re proud to be working with Trend Micro, a technology and market leader in email security, to help create a safer and better email experience for senders and recipients alike.”

Availability

Trend Micro eMail ID Truemark Service is available immediately, directly through Trend Micro. The eMail ID desktop software is available as a free plug-in for consumers from Trend Micro at http://free.antivirus.com/email-id/.

You can read the entire press release here:  http://www.prnewswire.com/news-releases/trend-micro-partners-with-iconix-to-deliver-visual-id-for-email-103516949.html

When Authentic Isn’t Real

Our Truemark service relies on email authentication (SPF/Sender ID or DomainKeys/DKIM) as a foundation for verifying legitimate messages. And there are some email services out there that indicate with an icon whether a message has passed authentication. But is email authentication by itself enough?

Nope (you knew that was coming). Email authentication only tells me that the message really came from the entity who claimed to send it. That works great when someone pretending to be a bank uses the bank’s email address – the authentication will fail and the message can be dropped so consumers never see it. 

But what if they create a domain name that sounds like it belongs to the bank (e.g., bank-support.com) and then send email from there? It’s possible for the sender of such a message to authenticate their email and have it pass. Uh-oh. So much for using authentication alone to determine the legitimacy of messages.

So how do you really know when a message is legitimate? It takes at least one more piece of information. The most definitive is a list of domains the company uses to send email. Then it’s simple – compare the domain in the message to the company’s list, and if there’s a match and the message can be authenticated, you’re good. That’s how our Truemark service works (it’s actually more complicated than that since there are several “from” addresses in an email message, but that’s for another time). 

Another way to verify legitimacy is by assigning reputation to messages from specific domains or IP addresses. This requires a monitoring of new domains/addresses over time to determine whether messages sent from there are “good”. In this case, authentication plays a role since it allows you to verify that the message actually came from those domains/addresses, but it isn’t as definitive as comparing to a known-good list.

Bottom line? Like those products labeled “made of genuine artificial leather,” just because an email is marked as “authenticated” doesn’t mean it’s real.