Let’s set a standard. That’s a routine and fundamental rallying call among industry veterans of every stripe, and it’s certainly a good basis for new technologies to gain traction. More to the point, a robust standard with broad support is also the best defense against shady operators and nefarious practices.
That’s the thinking behind DMARC, or “Domain-based Message Authentication, Reporting & Conformance.” This is a technical specification backed by a group of organizations, and it’s designed to at least reduce the potential for email-based abuse by solving some long-standing operational, deployment, and reporting issues related to email authentication protocols.
No industry should be more interested in, and get more involved with, these developments than financial services. As we all know, there’s currently a huge array of email options available to every company and every consumer. That’s a good thing, and it’s partly why most of us have multiple e-mail addresses. On the flip side, email is relatively easy to spoof, and criminals use the practice with relish to exploit consumer trust, particularly with well-known brands. Factor in growing e-commerce and the rise of social media, and it’s essentially a ready-made recipe for compromising bank accounts, credit cards, etc.
That’s why, just this week, Bank of America, Fidelity Investments and PayPal all signed on with existing backers—including such industry heavyweights Google, Microsoft and Facebook—to get behind the standardization effort. Bits, the technology policy division of the US bank-backed Financial Services Roundtable, has also announced its support for this initiative.
DMARC standardizes the email recipients perform email authentication across such common platforms as AOL, Gmail, Hotmail and Yahoo! It enables a sender to indicate that their emails are protected by specific mechanisms such as SPF and/or DKIM, what to do when those methods flag the message, and easily report back to the sender about the problem.
Of course, as with any major standard, this is a work in progress. The DMARC working group has developed a draft specification that will be tested among group members before it is submitted to the Internet Engineering Task Force (IETF) for standardization.
As we’ve discussed in this forum recently, the implementation of a single standard isn’t always a panacea. But given the proliferation of email formats and data types, along with the security problems they introduce, an open standard that enhances protection without compromising innovation would be welcome. It’s another good way to keep the money safe.