U.S. Government’s DMARC Mandate: Why the Australian Government Ought to Follow Suit

October 23, 2017
Tim Bentley

Following a letter by Senator Ron Wyden back in July calling for government-wide use of email authentication, the U.S. Department of Homeland Security (DHS) announced last week that it would increase security for anyone receiving email from federal agencies or visiting a federal website. This new binding directive requires U.S. federal agencies to use two security protocols — DMARC, which prevents fraudsters from sending fake emails, and HTTPS, which encrypts web traffic. 

This is welcome news for citizens and organisations in the fight against cybercrime.

Government agencies worldwide are prime targets for cybercriminals, who frequently will spoof their identities in order to steal personal information or money from the general public, companies or indeed from the agencies themselves.

Companies like Proofpoint have been evangelising the use of DMARC for years, and while enterprises have moved up the adoption curve, governments around the world have tended to lag. This new directive very much echoes those initiatives announced by the UK government in June 2016, when they issued similar guidelines and set a deadline of October 1, 2016 for all UK agencies to have published a DMARC record and start blocking fraudulent emails abusing their domains.

Here, the Australian government issued guidance on DMARC back in July 2016: in a concise report entitled Malicious Email Mitigation Strategies, the Australian Signals Directorate, part of the Department of Defence, and the Australian Cyber Security Centre recommended both government and private sector organisations to implement DMARC authentication to prevent messages from would-be imposters from reaching the inbox.

Somehow though, it feels like the U.S. directive is going that step further by issuing an implementation timeline—something the Australian authorities might want to consider.

Anyone with hands-on experience of a DMARC implementation project will likely view the timelines issued by the DHS as challenging. Government agencies typically have complex email infrastructures and will require significant expertise as well as resources to ensure their DMARC implementation is risk free – in other words, that they are not blocking legitimate email.

That said, the benefits are clear: in the UK, Her Majesty’s Revenue and Customs (HMRC), often compared to the US Internal Revenue Service, has embraced and promoted the use of email authentication for several years. Once the most phished organisation in the UK., HMRC was one of the first government agencies worldwide to deploy email authentication controls to rebuild consumer trust in the email channel. In November 2016, their then Head of Cyber Security announced their DMARC implementation was complete and had seen them block over 300 million phishing emails.

When implemented, DMARC is a significant barrier to cyber criminals who are attempting to impersonate official agencies. It stops criminals from spoofing agencies’ domains and sending emails on their behalf to unsuspecting recipients. Without DMARC, cybercriminals have a powerful tool to lure employees of the agencies into accidently opening the door to a hack, fool agency partners, and trick citizens to giving away information that can have substantial consequences.

Securing government communications to its citizens is paramount and this new directive can only help propel the adoption of the same security standards across more and more enterprises, thereby bringing a greater collective security to email and web technologies. Let’s hope more governments take a leaf out of the DHS playbook and roll out email authentication across their public-sector bodies.

To help stop criminals from spoofing domains and sending emails on their behalf to unsuspecting recipients, download our free email authentication kit: http://ow.ly/5Ws430f9GS3  and visit our DMARC creation wizard: https://stopemailfraud.proofpoint.com/dmarc-start/ .