By Philip Reitinger
One of the most important trends we have seen in cybersecurity is governments leading through action, rather than just recommendations and mandates for the private sector. On July 27th, Canada took a significant step forward by mandating that all Government of Canada email domains be configured with DMARC to help prevent spoofing and fraud.
For the uninitiated, DMARC is a standard that enables domain owners to prevent threat actors from spoofing their domains to send malicious email. So “globalcyberalliance.org” for example could set up DMARC (which it has) and make it nearly impossible to successfully send fraudulent email to people using the “@globalcyberalliance.org” domain. The recipient of the email must also use a service that authenticates inbound email using DMARC, and the significant majority of webmail services have already done so. While deploying DMARC can be a challenge for larger entities with a complicated email infrastructure, the return on investment is significant.
On April 7th, the Government of Canada took the first step in supporting the DMARC industry best practice when the Canadian Centre for Cyber Security (CCCS) published guidance on email domain protection. In that guidance, CCCS also announced that it had established a service that would receive reports that DMARC generates and help agencies use that information to protect themselves and their constituents.
Now Canada has gone further by establishing a standard that requires agencies to deploy DMARC and the SPF and DKIM protocols (on which DMARC depends) as well:
“The departmental Information Management Senior Official and/or Chief Information Officer is responsible for: …
“126.96.36.199 Establishing a minimum Domain-based Message Authentication, Reporting & Conformance (DMARC) policy of “p=none” …
188.8.131.52 Adding the CCCS as an aggregate report recipient. The address that must be included is firstname.lastname@example.org.
184.108.40.206 Authorizing all sending IP addresses in Sender Policy Framework (SPF).
220.127.116.11 Applying Domain Keys Identified Mail (DKIM) signatures to all outbound messages.”
The scope of deployment is broad: “2.2 This standard applies to all Government of Canada email sent and received, all Government of Canada instant messages sent and received, and all Government of Canada email services… .” Bravo!
For now, the standard only requires that DMARC be deployed with the policy “p=none”, which will only identify and not absolutely stop spoofed email. Regardless, that’s the right place to start, and I hope to see the standard moved to require the strongest policy (“p=reject”) at a later date.
In publishing this mandatory requirement, Canada joins the growing group of countries that require deployment of DMARC by government agencies. The most critical part of this trend, however, is not the mandate to deploy DMARC, but that government cybersecurity offices are leading by implementing security measures themselves rather than just telling the private sector to do something. Governments like Canada’s are saying, in effect, that they have found a critical way for entities to protect themselves and others, and that the government will lead by example and take that very step itself. Following this path can demonstrate both effectiveness and practicality – key criteria to incentivize private sector deployment.
Congratulations, Canada! Other nations: over to you.
And for those of you who want to learn more about DMARC and how to implement it for your government or organization, please join GCA’s upcoming (and FREE!) DMARC Bootcamp in September. More information and registration can be found here: https://gca.globalcyberalliance.org/bootcamp-registration