We recently discussed governmental organizations that send out warnings rather than preventing spear phishing attacks through email authentication.Therefore it’s good to see a pair of prominent governmental organizations giving clear guidance to their constituents about using DMARC to enforce authenticity of email on their domains.
The British Government Digital Service announced in June an upcoming requirement that all services using subdomains of gov.uk would need to have a DMARC policy at enforcement. The deadline for that enforcement came in the last week.
Services should publish a DMARC policy and set it to the highest level, called ‘p=reject’. If you have not set up this policy by 1 October 2016, your emails may be rejected by external email providers.
Simultaneously, the National Institute of Standards and Technology (NIST) has published its special report “Trustworthy Email” (also known under the catchy name 800–177). This report contains a long section on SPF, DKIM, and DMARC, the last of these sections extending from pages 54 through 62. The NIST report contains clear recommendations for both email senders and receivers.
To the senders it says,
Security Recommendation 4–11: Sending domain owners who deploy SPF and/or DKIM are recommended to publish a DMARC record signaling to mail receivers the disposition expected for messages purporting to originate from the sender’s domain.
And to receivers it instructs,
Security Recommendation 4–12: Mail receivers who evaluate SPF and DKIM results of received messages are recommended to dispose them in accordance with the sending domain’s published DMARC policy, if any. They are also recommended to initiate failure reports and aggregate reports according to the sending domain’s DMARC policies.
We understand that educating the broad community of government organizations will take some time in both the UK and the USA. It’s encouraging that these two thought leadership organizations have laid out clear direction, which will help us get to the day when we don’t have to see any more stories in the media about government offices falling for spear phishing attacks.