Skip to main content

The Globe and Mail

Microsoft, Google push new plan to combat e-mail scams

A new approach calls for email providers and businesses to attack spammers by coordinating on a massive scale the use of two existing technologies for email authentication known by the acronyms SPF and DKIM, which have yet to be widely adopted.

Photos.com

Some of the world's biggest Internet companies and financial services firms have developed a new approach to fighting e-mail spam that they hope will reduce online scams.

Facebook, Google Inc. and Microsoft Corp. have joined with financial firms Bank of America Corp ., Fidelity Investments and eBay Inc.'s PayPal to create a set of industry standards for preventing criminals from sending out spam emails that appear to come from corporate e-mail addresses.

Fraudsters often pose as banks and other trusted firms in attempts to persuade e-mail recipients to provide payment card numbers, bank account information and other personal data or click on links that infect computers with malicious software.

Story continues below advertisement

The new approach calls for email providers and businesses to attack spammers by coordinating on a massive scale the use of two existing technologies for e-mail authentication known by the acronyms SPF and DKIM, which have yet to be widely adopted.

PayPal is one company that currently uses SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) technology standards to fight email spoofing, but only through partnerships with Yahoo Inc. and Google, said Brett McDowell, a security manager at PayPal who serves as chairman of the group that developed the new standard.

The group goes by the name DMARC.org, which stands for Domain-based Message Authentication, Reporting and Conformance.

If Yahoo or Google get an e-mail claiming to come from PayPal that is not properly authenticated with SPF or DKIM, the email is not delivered, he said. But if fraudsters send spoofed PayPal e-mail to other e-mail providers, it might get through.

"What we need is an Internet standard that allows this level of protection to work at scale - without any discussion, without any partner agreements," Mr. McDowell said. "That is what DMARC does."

Other companies involved in the group include American Greetings Corp. , LinkedIn Corp. and Yahoo as well as privately held Agari, Cloudmark, eCert, Return Path and the Trusted Domain Project.

IDC security analyst Michael Versace said that the approach recommended by the group appeared to be effective and inexpensive to implement.

Story continues below advertisement

Yet he said that the industry should keep developing new technologies to fight spammers because he expects that cyber criminals will eventually figure out how to circumvent the DMARC protections.

Report an error
Comments are closed

We have closed comments on this story for legal reasons. For more information on our commenting policies and how our community-based moderation works, please read our Community Guidelines and our Terms and Conditions.

Combined Shape Created with Sketch.

Combined Shape Created with Sketch.

Thank you!

You are now subscribed to the newsletter at

You can unsubscribe from this newsletter or Globe promotions at any time by clicking the link at the bottom of the newsletter, or by emailing us at privacy@globeandmail.com.