Home / Industry

Government Guidance for Email Authentication Has Arrived in USA and UK

Image Source: British Government Digital Service, gov.Uk

We recently discussed governmental organizations that send out warnings rather than preventing spear phishing attacks through email authentication. Therefore it's good to see a pair of prominent governmental organizations giving clear guidance to their constituents about using DMARC to enforce authenticity of email on their domains.

The British Government Digital Service announced in June an upcoming requirement that all services using subdomains of gov.uk would need to have a DMARC policy at enforcement. The deadline for that enforcement came in the last week.

"Services should publish a DMARC policy and set it to the highest level, called 'p=reject'. If you have not set up this policy by 1 October 2016, your emails may be rejected by external email providers."

Simultaneously, the National Institute of Standards and Technology (NIST) has published its special report "Trustworthy Email" (also known under the catchy name 800 — 177). This report contains a long section on SPF, DKIM, and DMARC, the last of these sections extending from pages 54 through 62. The NIST report contains clear recommendations for both email senders and receivers.

To the senders it says,

"Security Recommendation 4 — 11: Sending domain owners who deploy SPF and/or DKIM are recommended to publish a DMARC record signaling to mail receivers the disposition expected for messages purporting to originate from the sender's domain."

And to receivers it instructs,

"Security Recommendation 4–12: Mail receivers who evaluate SPF and DKIM results of received messages are recommended to dispose them in accordance with the sending domain's published DMARC policy, if any. They are also recommended to initiate failure reports and aggregate reports according to the sending domain's DMARC policies."

We understand that educating the broad community of government organizations will take some time in both the UK and the USA. It's encouraging that these two thought leadership organizations have laid out clear direction, which will help us get to the day when we don't have to see any more stories in the media about government offices falling for spear phishing attacks.

By ValiMail, Provider of Email Authentication as a Service – ValiMail, the world's first provider of Email Authentication as a Service™, enables automated email authentication for 2.7 billion email inboxes globally. Using the DMARC, SPF, and DKIM protocols, ValiMail gives enterprises full visibility and control over who sends messages using their domains, eliminates phishing impersonation attacks, and improves email deliverability. Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign


Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

Domain Management

Sponsored byMarkMonitor

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPXO