Implementing DMARC in the Public Sector

Overview

The Problem

Email is the #1 way attackers target citizens and government employees.

Why it Works

Email lacks build-in authentication:
Attackers can easily spoof or impersonate anyone in your organisation using free tools

Attackers need to be right just once:
With billions of emails hitting government inboxes, odds are in the attacker's favor

Email gateways can't solve the problem:
Attackers rely on social engineering tactics and identity deception, not malicious content or URLs that traditional tools were built to detect

The Solution

DMARC functions like an ‘identity check’ for your agency. It prevents spammers and criminals from hijacking your valid organisation domain names and brand for email.

What is DMARC?

DMARC (Domain-based Message Authentication Reporting & Conformance) is an open email authentication protocol, established in 2012 by organisations including Google, Microsoft, Agari, PayPal, and others to protect the email channel. DMARC is the best way for email senders and receivers to determine whether or not a given message is legitimately from the sender, and what to do if it isn’t.

Benefits of Deploying DMARC for Your Agency

Stop email phishing attacks using your agency’s reputation

Agencies reduce the likelihood that their domains and brand will be used in an attack.

Reduce account takeover risk

By preventing delivery of phishing and malware-laden messages directed at your employees or constituents, you can reduce the number of account takeovers.

Increase email deliverability

By deploying DMARC, you ensure that legitimate email from your agency gets delivered and is not blocked at the receiver.

Gain visibility into cyberattack risk

Do you know every third-party company that sends email on behalf of your agency? DMARC provides this critical visibility, allowing you to ensure that anyone sending on your behalf complies with email best practices.

“Business Email Compromise (BEC) attacks represent more than 50% of all incidents and this number has been doubling each year since 2017, which makes it especially noteworthy.”

Verizon Data Breach Report, 2023

“Phishing e-mails remain the primary method used by cybercriminals to gain unauthorised access to a computer or network. . .[and] can reach huge numbers of people directly whilst hiding... ”

National Cyber Security Centre (NCSC)

The Public Sector Perspective

The NCSC recommends DMARC records in place for all domains, regardless of whether the domain is used for email or not.

The NCSC’s Cyber Assessment Framework (CAF) recommends a DMARC policy of Reject (“p=reject”).

The Government Digital Service (GDS) requires that all government departments adopt DMARC with the strongest DMARC policy (“p=reject”).

The NCSC’s tool, Mail Check, helps organisations assess their email security compliance. Mail Check has an enforcement rate of 60% (percentage of domains protected by a DMARC policy of Reject), but when using solutions lacking in visibility we often find domains pushed to Reject prematurely, potentially causing more damage than good with blocked legitimate business-critical mail.¹

¹ NSCC Annual Review 2023, p. 9: https://www.ncsc.gov.uk/collection/annual-review-2023/resilience

DMARC Enforcement Policies

What is a DMARC Enforcement Policy?

When you set a DMARC policy for your agency you, as an email sender, are indicating that your messages are protected.

The policy tells a receiver what to do if one of the authentication methods in DMARC passes or fails.

How it Works
When emails are received by the mailbox provider, the receiver checks if DMARC has been activated for your domain.

What Does a DMARC Policy Look Like?

Here’s a typical policy in DNS. Note that this domain is configured with a policy of ”reject” DMARC record for agari.com:

Steps to DMARC Implementation

How Do I Get Visibility and Reporting from DMARC?

Once your DMARC policy is implemented, you will start to receive thousands of reports every day, depending upon the number of emails your organization sends. Because it’s difficult to process the reports manually, you can work with a commercial vendor to display and process the data. Commercial software such as Agari DMARC Protection can help with DMARC policy creation and hosting, third-party sender identification and alignment, and ongoing visibility as you progress through your DMARC implementation. In fact, Fortra’s Agari DMARC Protection ensures companies reach Reject confidently and securely, boasting an enforcement rate of 78%.

Resources

Blog

Get Started

See how Fortra's Agari DMARC Protection automates DMARC email authentication and enforcement for government agencies to prevent costly phishing attacks.

REQUEST A DEMO