February 6, 2013Infra · Security · Testing · Open Source · Messages · User Experience

Celebrating a year of fighting email phishing with DMARC

A couple of years ago, Facebook joined a burgeoning alliance of major online services to support the development of DMARC, a protocol that seeks to augment new message authentication technologies with a strong policy layer focused on thwarting phishing attacks. Today, we’re celebrating the DMARC standard’s official one-year anniversary by announcing that DMARC now protects almost two-thirds of the world’s 3.3 billion consumer mailboxes, including 85% of Facebook’s user base.

As one of the biggest generators of email today, Facebook was the first to embrace this new technology by adopting an early DMARC protocol in 2011 that asked mail receivers to reject fraudulent email that appeared to be from Facebook. Since then, the alliance has grown to represent over a dozen high-profile mail senders and receivers.

To get here, we’ve worked with people and companies around the world to test and iterate on the DMARC protocol and the software that implements it. Last summer, Facebook hosted a interoperability event that acted as a live-fire trial. In true Facebook fashion, our email team selected an open-source implementation upon which to hack together a prototype integration and then stood it up for the world to test during the event.

The event went off without any major hitches: nothing exploded, the bugs found were minor, and we had some highly valuable feedback to fold into the specification and our various implementations as they matured toward being ready for full standardization. Since then, the group has been running the live spec in their various environments and observing the results, tuning and evolving it based on what we’ve learned along the way.

In my pre-Facebook life, I participated in an event like this one for another email security technology called DKIM. We had about 20 organizations with various implementations working together in one room, sending messages to each other to work out the bugs in our respective code bases and in the protocol itself. The great thing about this sort of event is that it can shine a light on strange corner cases that developers neglect to check in their own implementations. I think of it like a super QA, and everyone comes away better informed and able to do meaningful work.

Email is such a peculiar technology. It’s so old and ubiquitous, with so many different variants and environments, that it becomes a constant stream of complex challenges. I have long been intrigued by this complexity, and have been involved in email’s evolution for over 20 years now. I have been working on DKIM and DMARC software and specification almost constantly since they each appeared, and it's been very exciting to see the uptake and the potential for these advances to make a big difference in the email experience.

I find it equally thrilling to be a part of an engineering environment that can move and experiment with such agility, especially in support of something that benefits everyone. If you are interested in being able to have that kind of impact with your ideas, check out our careers page.

Murray Kucherawy, a software engineer on the mail and messages team at Facebook, is the lead developer for both OpenDKIM and OpenDMARC. He is also a co-author of the current DKIM standard and lead editor of the DMARC specification.

Keep Updated

Stay up-to-date via RSS with the latest open source project releases from Facebook, news from our Engineering teams, and upcoming events.

Subscribe
Facebook © 2017