UK must use DMARC for email by Oct

The UK’s Government Digital Service (GDS) has mandated that all UK government websites — as well as all email communications between central government organisations and accounts outside of the dedicated Public Service Network — use encryption by October 2016.

The government body has also announced a requirement for government organisations using the service.gov.uk subdomain for email to use the new DMARC authentication protocol to further protect government communications.

DMARC, or domain-based authentication reporting and conformance, is designed to allow email senders to verify legitimate messages and set policies for handling authentication messages.

The GDS has stipulated that from 1 October, all government agencies will need to set the DMARC policy to the highest level, which involves rejecting unauthenticated messages before they arrive in a user’s inbox.

In a recent blog post, Easy Solutions anti-fraud solutions consultant Matthew Platten said the GDS decision is good news for the government, and great news for the public.

“A strong email authentication system is one of the most effective means of ensuring that recipients are reading messages only from the intended sender and not someone spoofing a legitimate organisation,” he said.

“The UK government’s implementation of DMARC means that cybercriminals will no longer be able to spoof the service.gov.uk domain, a tremendous boon to government agencies and citizens alike. Restoring trust in email communications is paramount for legitimate organisations, and other governments and enterprises would be well advised to follow in the UK’s footsteps.”

He said spam-based phishing attacks lead to global losses of more than £1.4 billion ($2.39 billion) per year.

Image courtesy of AJC under CC