Updated April 17, 2020
The adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC) has been slow, mainly due to a lack of understanding, a lack of guidance on moving to enforcement levels, and the fact that organizations still have not heard of it. However, one sector that has taken a focus on DMARC over the years is the governments of many countries.
The United Kingdom kicked things off in 2016 by mandating all UK government entities to implement DMARC at the highest level of enforcement.
In late 2017, the US Department of Homeland Security (DHS) mandated that all US federal agencies implement DMARC at the lowest level within 90 days and the highest level within one year, along with other security measures outlined in BOD 18-01.
The governments of the Netherlands and New Zealand followed suit in 2018, and in 2019 Australia did as well.
Now in 2020, Canada is leading the way by releasing its Implementation Guidance on email domain protection. This is very timely as there are a high number of phishing emails being sent during the COVID-19 pandemic. We have already seen that the domain of the World Health Organization (WHO) can be spoofed (and possibly has already been part of the spam/phishing campaigns); WHO started the implementation of DMARC about a week after this VOX article.
UPDATE: Denmark is also leading the way with DMARC. All authorities are required to implement a DMARC policy of ‘reject’ on all domains they own.
It is critical that organizations – not only governments – take into account what DMARC is capable of doing alongside other email security mechanisms (anti-spam/phishing tools, DANE, checking for valid MX records, etc.). There are various resources available to learn more about DMARC and to get additional guidance.
One upcoming event is the Global Cyber Alliance (GCA) DMARC Bootcamp: Defend & Deliver. Continuing its efforts to accelerate DMARC adoption through advocacy and practical solutions, GCA is pleased to offer a new installment of its DMARC Bootcamp. Beginning May 4th, GCA will conduct five weeks of online technical training focused on what DMARC is and how to implement it. We will cover the basics of SPF and DKIM and options for performing DKIM key generation and signing. We will go over each of the tags for a DMARC policy and provide a demonstration on how to create the DNS records for SPF, DKIM, and DMARC on several systems. You can register for the bootcamp here: https://bootcamp.globalcyberalliance.org/dmarc-bootcamp-2020
We hope to see you at bootcamp!