Only 28% of Domains Support DMARC

Written by

Only around a quarter of the UK government’s domains have been set up to support an industry best practice email validation system, despite the imminent retirement of a previous public sector domain platform, according to Egress.

The security vendor found that just 28% of domains have enabled Domain-based Message Authentication, Reporting and Conformance (DMARC), which helps to prevent certain spam and phishing attacks.

The vendor ran its tests just a few weeks before the Government Secure Intranet (GSI) platform is to be switched off this month, forcing departments to migrate to the public cloud.

This means the vast majority are not currently following the minimum standards suggested by the UK Government Digital Service (GDS) for email authentication.

Even worse, of the 28% that had enabled DMARC at the time of the study, over half (53%) set a policy to “do nothing” — which would effectively let through Business Email Compromise (BEC) attacks and allow email buffering, while spam and phishing messages would be allowed into recipients’ inboxes.

This means that in reality, only 14% of government domains are using DMARC effectively to stop phishing attacks, Egress warned.

“It’s quite startling to see that so many public sector organizations have not yet enabled DMARC effectively and therefore cannot provide full assurance over their email network’s ability to withstand phishing attacks,” commented Egress CTO, Neil Larkins. “With [not long] before the GSI framework is retired, it’s critical that organizations heed the advice laid out by GDS.”

The government took a bold step back in September 2016 when the Cabinet Office mandated the strongest DMARC policy (“p=reject”) be set as the default for all email services from October 1.

However, progress has been slow in other areas. It was revealed in 2017 that 98% of NHS organizations were unprotected by DMARC, and that many English councils were also failing.

DMARC has played a crucial role in the NCSC’s successful Active Cyber Defence program over the past couple of years.

What’s hot on Infosecurity Magazine?