Home / Industry

Government Guidance for Email Authentication Has Arrived in USA and UK

Image Source: British Government Digital Service, gov.Uk

We recently discussed governmental organizations that send out warnings rather than preventing spear phishing attacks through email authentication. Therefore it's good to see a pair of prominent governmental organizations giving clear guidance to their constituents about using DMARC to enforce authenticity of email on their domains.

The British Government Digital Service announced in June an upcoming requirement that all services using subdomains of gov.uk would need to have a DMARC policy at enforcement. The deadline for that enforcement came in the last week.

"Services should publish a DMARC policy and set it to the highest level, called 'p=reject'. If you have not set up this policy by 1 October 2016, your emails may be rejected by external email providers."

Simultaneously, the National Institute of Standards and Technology (NIST) has published its special report "Trustworthy Email" (also known under the catchy name 800 — 177). This report contains a long section on SPF, DKIM, and DMARC, the last of these sections extending from pages 54 through 62. The NIST report contains clear recommendations for both email senders and receivers.

To the senders it says,

"Security Recommendation 4 — 11: Sending domain owners who deploy SPF and/or DKIM are recommended to publish a DMARC record signaling to mail receivers the disposition expected for messages purporting to originate from the sender's domain."

And to receivers it instructs,

"Security Recommendation 4–12: Mail receivers who evaluate SPF and DKIM results of received messages are recommended to dispose them in accordance with the sending domain's published DMARC policy, if any. They are also recommended to initiate failure reports and aggregate reports according to the sending domain's DMARC policies."

We understand that educating the broad community of government organizations will take some time in both the UK and the USA. It's encouraging that these two thought leadership organizations have laid out clear direction, which will help us get to the day when we don't have to see any more stories in the media about government offices falling for spear phishing attacks.

ValiMail

About ValiMail – ValiMail, the world's first provider of Email Authentication as a Service™, enables automated email authentication for 2.7 billion email inboxes globally. Using the DMARC, SPF, and DKIM protocols, ValiMail gives enterprises full visibility and control over who sends messages using their domains, eliminates phishing impersonation attacks, and improves email deliverability. Learn More

Related topics: Cybersecurity, Email, Spam

 
   

Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Related Blogs

Related News

Explore Topics

Dig Deeper

Mobile Internet

Sponsored by Afilias Mobile & Web Services

IP Addressing

Sponsored by Avenue4 LLC

DNS Security

Sponsored by Afilias

Cybersecurity

Sponsored by Verisign

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Port25 Announces Release of PowerMTA V4.5r5

New Case Study: Jobtome.com Replaces 30 Postfix Servers with a Single PowerMTA

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?