Introducing DMARC for Twitter.com emails

Thursday, 21 February 2013

We send out lots of emails every day to our users letting them know what’s happening on Twitter. But there’s no shortage of bad actors sending emails that appear to come from a Twitter.com address in order to trick you into giving away key details about your Twitter account, or other personal information, commonly called “phishing”.

Earlier this month, we began using a new technology called DMARC that makes it extremely unlikely that most of our users will see any email pretending to be from a Twitter.com address. DMARC is a relatively new security protocol created by a group of organizations to help reduce the potential for email-based abuse.

Without getting too technical, DMARC solves a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols. It builds on established authentication protocols (DKIM and SPF) to give email providers a way to block email from forged domains popping up in inboxes. And that in turn lessens the risk users face of mistakenly giving away personal information. If you’re interested in a more technical explanation, you’ll find it here.

While this protocol is young, it has already gained significant traction in the email community with all four major email providers – AOL, Gmail, Hotmail/Outlook, and Yahoo! Mail – already on board, rejecting forged emails. We hope to see it gain more coverage for our users as even more email providers adopt it, and that it gives you more peace of mind when you get an email from us.

Posted by Josh Aberant - @jaberant
Twitter Postmaster