While we can all agree that email spam is a troublesome problem, the real threat lies in the risk that email spam presents when combined with more nefarious elements, such as malware distribution and phishing attempts. Stemming the flood of potentially harmful spam has been a thorny issue for many email providers, who have struggled to provide effective countermeasures to stem the ever-rising flood of spam. This struggle has all the hallmarks of a never-ending arms race, and email providers needed something to help them turn the tide -- or at least slow down the rising waters.
That assistance came in the form of the newly-announced Domain-based Message Authentication, Reporting & Conformance specification, or DMARC. My colleague Paul Thurrott covered the DMARC news yesterday, but I wanted to add some additional thoughts to the discussion. According to a description on the DMARC working group website, DMARC promises to give email providers like Google, Yahoo!, Microsoft, and others the tools they finally need to turn the tables on email spam by helping senders "improve the mail authentication infrastructure so that all their mail can be authenticated."
The DMARC specification does this by leveraging the Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) mechanisms to help email receivers and senders make sure that the emails they're exchanging are legitimate, authorized communication. SPF relies on the Domain Name System (DNS) to let owners designate computers that are legitimate email distribution points, while DKIM establishes a connection between an email message and a domain -- by attaching a domain name identifier (along with some cryptographic techniques) -- to help ensure that a message is really from who it appears to be sent from.
While it would be optimistic (and naive) to assume that DMARC will end email spam, it will at least give email providers some common ground and a useful framework to help them limit the scope of email spam. I've blogged a bit about the need for more end-user security training before, and the DMARC initiative won't obviate that need. Progress is sometimes measured in baby steps, and DMARC is a very positive step in the right direction.
Do you think DMARC will help slow the onslaught of email spam into our collective inboxes? Add a comment to this blog post or contribute to the discussion on Twitter.