UK Government Agencies Leading the Way in DMARC Protection
Brexit isn’t the only big news coming out of the UK government this week. Yesterday, Britain’s Government Digital Service (GDS) announced a big email security update: all agencies running on the sub-domain service.gov.uk will be required to publish a DMARC (Domain-based Message Authentication Reporting & Conformance) policy.
By October 1, 2016, agencies must set this DMARC policy to the highest level, p=reject, which blocks all messages that do not pass authentication before they get to the inbox. As a temporary measure only, GDS says, teams can implement a DMARC monitor, or “p=none”, policy.
By implementing DMARC, UK government agencies will block any malicious messages spoofing service.gov.uk domains. In other words, cyber criminals will no longer be able to use service.gov.uk domains to trick unsuspecting citizens or government employees.
This is good news, considering the fact that the UK, according to Symantec’s annual Internet Security Threat Report, is the world’s most targeted nation for phishing scams and ransomware. And government targets are traditionally some of the most fruitful for fraudsters.
Not only does government phishing compromise the security of sensitive agencies, it also puts citizens at serious risk. Last year, for example, hackers targeted the US Internal Revenue Service, gaining access to the tax returns of more than 300,000 people.
DMARC will become a universal requirement
We expect that in the near future, DMARC will become a requirement at companies across industries and governments around the world. Right now, too many companies rely on users as their first line of defense against email fraud. By automatically blocking bad email before it reaches the inbox, DMARC removes user guesswork from the equation.
The risks of swift DMARC policy implementation
A DMARC monitor, or “p=none” policy, gives you the feedback loop you need to see what email is authenticating, what email is not, and why. Once you clean up your authentication on all of your sending domains, you can safely move to “p=reject” and block only the malicious messages.
If you implement DMARC reject policy before all of your mail is authenticating properly, however, your unauthenticated messages won’t just be at risk of getting flagged as suspicious—you’ll actually be instructing mailbox providers to reject these messages outright.
For example, service.gov.uk has implemented a p=quarantine policy (v=DMARC1;p=quarantine;sp=none;adkim=s;aspf=s;fo=1;rua=mailto:email@example.com). However the record has a number of errors which have implications on how mailbox providers will interpret the policy:
- Error: No spaces after each semicolon
- Implication: The risk is that some ISPs rely on the semi-colon, the space, or both to denote the end of one tag value and the beginning of the next.
- Against best practice: p=quarantine but with no Forensic reporting
- Implication: Emails could be blocked, and they will know the quantities from Aggregate reports but without Forensic reports, it will be very difficult to diagnose issues.
- Against best practice: DKIM & SPF alignment is set to Strict
- Implication: This does not always provide more security, rather more opportunities for authentication failures as it asks for the MFrom and the DKIM domains to match the Header From exactly.
How to implement DMARC the right way
The correct way to implement a “p=reject” policy is shown in the policy below from Her Majesty’s Revenue & Customs (HMRC):
As the third most exploited brand by cybercriminals in phishing attacks (Malcovery), HMRC has embraced and promoted the use of email authentication for several years. HMRC’s head of cyber security, Ed Tucker, has spoken at many events with Return Path on the benefits and challenges of deploying technologies like DKIM, SPF and DMARC: “Simply put, the DMARC standard works. In a blended approach to fighting email fraud, DMARC represents the cornerstone of technical controls that senders can implement today to rebuild trust and retake the email channel for legitimate brands and consumers.”
DMARC is no longer an option for organisations using service.gov.uk. But it’s imperative you implement it the right way to reap its benefits. The first step is to create a DMARC record. Then, follow the key implementation steps outlined in our email authentication kit.
And as always, if you have any questions during this process, don’t hesitate to reach out to Return Path’s email authentication experts.
About Robert Holmes
Robert Holmes is General Manager, Email Fraud Protection at Return Path. Rob has been in the brand & fraud protection industry for 15 years, helping major corporations understand, quantify and manage risk across the digital channels. Having previously held global roles running the product teams at Corporation Service Company and Melbourne IT's Digital Brand Services, Rob is a frequent speaker at major security events, including RSA Conference, Gartner Security & Risk Management Summit, FS-ISAC, and the global eCrime series. Rob has a MA (Hons) degree in Philosophy, Politics & Economics from the University of Oxford.