A call for all governments to adopt DMARC as a core email standard
By Tony Krzyzewski
The integrity of email sent from government departments to its citizens, its residents and to the businesses that form the backbone of their national economies is essential if these email recipients are to have trust in government communications.
Fundamental failings within the Simple Mail Transport Protocol (SMTP) mean that it is trivially easy to falsify sender details within email communications. This led to the rapid rise of SPAM messages in the late 1990s and contributes today toward the ability for attackers to send phishing messages to unsuspecting recipients.
DMARC was created to help minimise the opportunity for SPAM and phishing emails to be delivered to recipients. Working in conjunction with SPF and DKIM, DMARC has proven to be able to reduce the number of falsified emails being delivered and provides an excellent means of protecting the integrity of email sending domains.
In the United Kingdom early adoption of DMARC by several government agencies showed that it was possible to eliminate hundreds of thousands of falsified emails from reaching their victims.
DMARC has now been adopted as a mandated standard for government email communications in the United States, United Kingdom, the Netherlands, and New Zealand. It was introduced as an email protection control in the Center for Internet Security Controls version 7.1, and helps meet information protection requirements within ISO and NIST information security standards.
DMARC is a global effort to work towards improving the integrity of our email system. DMARC is being implemented by corporations and businesses around the world as a means of protecting their brand and their customers. Email service providers are implementing inbound controls to ensure that they can block falsified emails when requested by DMARC participants. Continuing adoption in the use of DMARC will move us closer towards herd immunity against transmission of falsified email content and we need Government agencies to help toward this level of adoption.
Unlike many technology based controls DMARC was designed to be implemented with minimal impact to systems and services. At its base level of implementation DMARC provides immediate visibility as to how an email domain is being used around the world and frequently shocks implementers into full implementation when they discover how their email domain is being abused.
Mandating the use of DMARC for all government email domains should be high on every nation’s cybersecurity risk reduction activity schedule.
The Global Cyber Alliance encourages other nations to join those that have already mandated the use of DMARC for government communications and, through its outreach program, can assist with setting standards that can be adopted to protect the integrity of government email communications.
The author, Tony Krzyzewski, is a GCA Ambassador and the Director of SAM for Compliance. You can follow him on Twitter @tonyk_nz or connect with him on LinkedIn.