Last year, the UK blocked 80 million spoofed emails from entering government domains, thanks to wide deployment of the DMARC email authentication protocol.
“That’s how you stop people clicking on the link, because they never get the crap in the first place. Simple things done at scale can have a difference,” said Dr Ian Levy, technical director of the UK’s National Cyber Security Centre (NCSC) in October.
At that time, 879 of the 3025 gov.uk domains, or around 29 percent, were protected by DMARC, he said.
According to Stephen Gillies, who runs security advisory at Caret and Stick, DMARC’s goal is “to bring some trust back to the From: field in email headers”.
“DMARC is another tool we have to reduce the amount of spam hitting end users. It should be implemented everywhere SPF (sender policy framework) and DKIM (Domain Keys Identified Mail) are implemented, as DMARC provides a way to gain visibility of SPF/DKIM failures, and provides senders with information about how spam is handled,” Gillies told ZDNet.
DMARC, DKIM and SFP do have their issues, he said.
An organisation that sends email needs to identify everywhere their email can legitimately be sent from. That includes more than just their email providers such as Microsoft or Google’s cloud. All manner of cloud services could be sending email on their behalf, including CRM systems like Salesforce, accounting and helpdesk services, project management and collaboration tools, and of course their own email marketing platforms.
“Implementing DMARC adds to the work an email administrator needs to do, which includes things like rolling the DKIM keys and getting DNS updated. This can be onerous for companies, as the mail administrators may not be in the same team, business or organisation as whomever looks after DNS,” Gillies said.
“All that said, my view is that DMARC, SPF, and DKIM have a significant impact on spam across domains, and I support the work the UK NCSC is doing in the space. No one is saying DMARC is a silver bullet for spam, but we have seatbelts and airbags.”
DMARC can also provide raw intelligence for active cyber defence.
“If the NCSC can consolidate reporting across the large number of government domains, there is a great deal of attack indicator data which could be generated from this resource,” Gillies said.
“Consolidated DMARC reports for a top-level domain like .gov.au would provide a resource for spotting phishing/spam/malware campaigns.”
Working DMARC still rare in Australian government domains
Australia is well behind the UK’s pace. Of the primary domains for 200 government agencies, only 45 have deployed DMARC, up from 40 when ZDNet tested at the end of October. That’s 22.5 percent of the total. It doesn’t sound much less than the UK figure, but the direct comparison is misleading.
Only 11 of those Australian domains, or 5.5 percent of the total, request that recipients force strict compliance with DMARC authentication using the “p=reject” tag. They include the Departments of Finance and Human Services, the Australian Securities and Investment Commissions (ASIC), the Australian Bureau of Statistics (ABS), the Reserve Bank of Australia (RBA), and curiously, Australian Wool Innovation at wool.com.
Some of the other agencies have set the tag to “p=quarantine”, requesting that recipients consider quarantining non-compliant emails. These include the Australian Signals Directorate (ASD), the Australian Taxation Office (ATO), and the Productivity Commission.
But the rest of the agencies that have deployed DMARC have either set the tag to “p=none”, leaving it up to recipients to decide what to do, or provide no policy settings at all. That includes key departments such as Home Affairs, Treasury, Education and Employment, AusTrade, and the Commonwealth Scientific and Industrial Research Organisation (CSIRO).
This looks set to change, however.
The Australian Cyber Security Centre (ACSC) told ZDNet that it believes “DMARC is an important control” which is why it has added DMARC recommendations to the Australian government’s latest Information Security Manual (ISM) released earlier this month.
“The ACSC is conducting a cyber hygiene program using open source intelligence to measure and improve cyber hygiene in government organisations,” an ACSC spokesperson said.
“DMARC and SPF are the initial focus of this work. Government agencies are responsible for implementing DMARC on their domains, including timelines and prioritising. The ACSC is providing assistance to agencies in determining their exposure and assisting with remediation,” they said.
“The ACSC operates a mixture of programs with similar objectives to the NCSC’s programs, including the cyber hygiene program.’
Gillies is upbeat about the Australia government’s cybersecurity efforts.
“Australia should never be ashamed by the technology implemented in government. In fact some of the best security strategy across the Five Eyes has come out of the ASD, including the Essential Eight,” he said.
“Many other countries use this work as an initial platform for their policies, and when you look across Australia, New Zealand and UK security advisories there are many similarities as a result of the great work done here…
“There is an opportunity for the Australian federal government to be a leader in this space, due to our smaller size compared to the UK, Canada, or the US. The first step would be to increase SPF and DKIM adoption, then to actually enforce SPF, then to implement DMARC.”