Twitter Adopts DMARC to Thwart Phishing Emails

All emails coming from Twitter.com should be authenticated

  How DMARC works
Twitter's been getting hammered on the security front. Some of it is its own fault, some of it is the users' fault, but it all looks bad for Twitter.

Twitter's been getting hammered on the security front. Some of it is its own fault, some of it is the users' fault, but it all looks bad for Twitter.

It's been taking some measures to improve security and inform its users, it recently provided some basic guide to choosing a password and it's now announcing that it's adopted DMARC, a technology for email authentication.

What DMARC does is ensure that emails claiming to come from Twitter really come from Twitter. Any email provider that supports DMARC, all major providers do, will reject any email that claims to come from Twitter but can't pass the authentication tests.

This make sure that fraudulent messages don't get through, messages claiming to be from Twitter and asking for account credentials, for example.

"DMARC solves a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols," Twitter explains.

"It builds on established authentication protocols (DKIM and SPF) to give email providers a way to block email from forged domains popping up in inboxes. And that in turn lessens the risk users face of mistakenly giving away personal information," it added.

DKIM and SPF have been around for a decade. However, these email authentication technologies haven't been widely used and even when they are, they're not of much use.

A receiver has no way of knowing whether an email coming from a domain should be authenticated or not so most let non-authenticated messages pass through anyway, negating any of the benefits of the technology.

DMARC makes it possible for email senders and receivers to share info, specifically, a sender can tell the receiver that all messages from it should be authenticated. This eliminates the uncertainty and ensures that any non-authenticated message will be blocked.

Major email providers like AOL, Gmail, Hotmail or Yahoo Mail support DMARC, so if you use any of them you won't be getting any forged Twitter messages.

At the same time, PayPal, many banks, Facebook, Google, Microsoft and many others use DMARC to ensure that the emails they send are always authenticated.

Comments