Major email providers are working with Bank of America Corp., FMR LLC's Fidelity Investments and eBay Inc.'s PayPal on a new effort intended to reduce phishing emails.
The companies are hoping to create an environment that allows the recipient of an email from a bank to feel secure that it isn't a trick.
To achieve that, they have created DMARC.org, a working group of 15 companies that plans to promote a standard set of technologies that they say will lead to more secure email.
The email providers involved are Google Inc., Yahoo Inc., Microsoft Corp. and AOL Inc.
Some of the underlying technologies are already used widely in protecting email, relying on the equivalent of digital signatures that help identify a message's sender. But senders don't always authenticate every message they send, so recipients are forced to rely on complex and imperfect ways to distinguish trusted messages from potentially fraudulent ones, backers of the effort say.
Brett McDowell, chair of DMARC and a senior manager at PayPal, says senders also need policies that tell email providers how to treat messages that aren't authenticated. That way, the email provider will be able to vouch for the authenticity of the real emails — and block fake ones or label them suspicious.
PayPal has been using the authentication technologies with Yahoo's email service since 2007 and with Google's since 2008, Mr. McDowell says, and is now blocking around 200,000 fake emails per day. Adam Dawes, a product manager at Google, says that 15% of the messages the company delivers to inboxes — a count that doesn't include spam and other junk emails — is currently protected with the authentication safeguards.
Such volumes could be the reason that this effort to secure email can succeed where past ones have failed, representing a "critical mass" of key companies, says Mr. McDowell.
If the system were to work and email could be authenticated, it would allow businesses to communicate with customers in new ways — or rather in old ways that have been compromised by phishing attacks. A bank customer would be able to trust an email advising him to follow a link and update his account information, for example. Currently, many companies tell customers not to trust emails with this kind of message, and many consumers assume that such messages are phishing attacks.
"If you are a big bank or a retailer, you have a very strong interest in making sure people trust your messages," says Michael Osterman, president of Osterman Research, which tracks the messaging industry. While past efforts to secure email have fallen short, DMARC "has a lot of promise," he says.
Even if every email can be authenticated, it won't bring an end to email fraud, Mr. McDowell acknowledges. But it will mean that scammers need to find new addresses with which to launch their attacks. Instead of crafting an email that looks like it comes from paypal.com, for instance, it would need to come from "paypalpayments.com" or some other fake site.
The DMARC working group officially launches Monday. Initial participants also include social-networking companies such as Facebook Inc. and LinkedIn Corp. and messaging-security providers such as Agari Data Inc.