Today Yahoo! Mail and the email industry took a big, collective step towards helping end phishing. Phishing is when someone misrepresents their identity and sends you a fake email that is designed to look like it was sent by a legitimate institution. It is one of the biggest online threats today and it’s been a tough challenge to solve because it’s multifaceted from a technical standpoint, and unfortunately, still lucrative from a phishers’ standpoint.
Yahoo!, along with many other companies, has been hard at work on something we believe will be critical in helping make email safer and more secure. Today, the DMARC consortium launched publicly. DMARC is the result of several major technology providers and large email senders (like Bank of America) coming together to fight a common enemy: phishing. Though DMARC came together relatively recently, the genesis of the idea started several years ago when we joined with PayPal and eBay in 2007 to block malicious messages through the use of DomainKeys authentication, a technology we helped build and popularize. From there, the idea snowballed (in a good way!) and we began talking to other companies to see how we could leverage this standard for the larger industry.
Right now, Yahoo! Mail uses existing standards like DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF), which use cryptography to prove the identity of the sender domain. DMARC builds upon the foundation of DKIM and SPF and creates an even stronger foothold to fight against phishing. Currently with DKIM and SPF, an email can prove it came to Yahoo! Mail from a trusted sender. But, with DMARC, the email now has to prove it’s coming from a trusted sender – otherwise, it will get thrown out & never reach a user’s mailbox.
Big companies who send lots of emails already had this capability, but thousands and millions of smaller companies don’t have the resources. DMARC gives senders of all sizes a way to specify what their authentication policies are, thus ensuring their emails are reaching the right people.
We block millions of phishing emails a day using these standards, and route millions more into spam folders instead of user’s inboxes. We’re proud of that; but we’d like to block all email that is lying about where it comes from, without blocking good mail. In order to do that, we need to make it much easier for all companies to use these technologies, and that’s what DMARC is about.
We’re glad that DMARC has gone public and stay tuned over the coming year as we continue to work with DMARC.
- The Yahoo Mail Team