Fewer than 28% of gov.uk using DMARC effectively in line with guidelines

Only 28% of gov.uk domains have been proactive in setting up DMARC appropriately, in line with UK Government Digital Service (GDS) advice in preparation for the retirement of the Government Secure Intranet (GSI) platform in March 2019.

gov.uk dmarc

Since 1996, the GSI framework has enabled connected organizations to communicate electronically and securely at low protective marking levels, according to Egress.

The findings reveal a lack of preparation from several government email administrators in readying themselves for the domain migration, which in effect leaves domain users open to phishing attacks.

Egress analysed more than 2,000 email domains to check if public sector organisations have DMARC enabled, and whether they were implementing it in-line with the government’s guidance.

Neil Larkins, CTO of Egress, comments: “It’s quite startling to see that so many public sector organizations have not yet enabled DMARC effectively and therefore cannot provide full assurance over their email network’s ability to withstand phishing attacks. With only one month left before the GSI framework is retired, it’s critical that organizations heed the advice laid out by GDS.”

Once enabled, DMARC, provides an email validation system designed to detect and prevent email spoofing, ensuring that email senders and recipients can better determine whether or not a given message is from a legitimate sender.

If an email is from an untrusted source, and with DMARC fully enabled, administrators can decide whether the email should be placed in quarantine or rejected.

Worryingly, of the 28% that have set up DMARC themselves, 53% have the policy set to ‘do nothing’. This means that email buffering and Business Email Compromise (BEC) can’t be prevented for these domains, and spam and phishing messages go straight into the recipient’s inbox, regardless of whether the message has been sent from a trusted sender or not.

Any organizations defaulting to a default gov.uk DMARC setting will also not be taking advantage of the ‘reject email’ policy, so this means that ultimately, fewer than 14% of organisations are using DMARC effectively if they want to stop phishing attacks

GDS recently announced that it has stopped issuing any new .gsi-family domains and updated its email security guidance for government email administrators to follow.

This guidance aims at helping to make sure an organizations’ email service is configured and runs in a secure way. As a minimum, GDS recommends using Transport Layer Security (TLS) encryption protocol and DMARC to encrypt and authenticate email in transit.

“The advice from the GDS is a great first step in safeguarding that government organizations are securely sharing and authenticating email messages. However, as with many complex organisations, Government departments and councils will probably also need to look to supplement TLS with additional technology, such as message-level encryption – which is suitable, for example, when they don’t have assurance that TLS is set up correctly on the recipient’s server or when messages need to be encrypted at-rest in the recipient’s mailbox. This is especially important for government organizations sharing data externally, where the security posture of the recipient is often unknown.”