Strengthening Email Authentication Standards for The Fight Against Phishing


Email authentication standards are currently in use throughout the IT industry. This is the result of a decade old effort by standard bodies to reduce the risk of domain impersonation by spammers and stumping out email phishing. The DMARC (Domain-based Message Authentication, Reporting and Conformance) specification solved issues with deployment and reporting of email authentication protocols leading to the standardization of SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) as reliable tools for email authentication.

Major public email providers including Yahoo!, AOL, Hotmail and Gmail currently implement DMARC. Gmail servers record 91.4% of non-spam emails as coming from authenticated users. Filtering spam from Gmail inboxes has therefore been made easier by the adoption of DMARC standards.

In a blogpost, Gmail gives some statistics from their operations as an inspiration to domain owners to adopt these email authentication standards in the fight against email phishing.

  • 76.9% of the emails we received are signed according to the (DKIM) standard. Over half a million domains (weekly active) have adopted this standard.
  • 89.1% of incoming email we receive comes from SMTP servers that are authenticated using the SPF standard. Over 3.5 million domains (weekly active) have adopted the SPF standard.
  • 74.7% of incoming email we receive is protected by both the DKIM and SPF standards.
  • Over 80,000 domains have deployed domain-wide policies that allow us to reject hundreds of millions of unauthenticated emails every week via the DMARC standard.

Also pointed out in the post is the need for strong public keys when using DKIM in order to increase the difficulty of impersonation as well as to get rid of configuration errors. Domains which are never used to send emails should also be described in DMARC policies as non-sender domains to prevent abuse.