U.S. Government To Mandate DMARC

Dane Meah
August 10, 2017


This morning, news broke that the US Government has moved to mandate the use of DMARC to protect organisations and the public from emails being sent by fraudsters. The move follows the UK’s Government Digital Services Agency (GDS) who mandated that all UK government departments adopt DMARC at a full “p=reject” policy, by 1st October 2016.

Whilst Email is inherently insecure as a platform, DMARC has been widely acknowledged as the solution to the email fraud problem. DMARC enhances the pre-existing open stands SPF and DKIM by providing control, visibility and governance for an organisation’s sending domains.

The open letter published yesterday regarding the US Government’s move to mandate DMARC states:

“[DMARC], if enabled, would make it significantly harder for fraudsters and foreign governments to impersonate federal agencies. The threat posed by criminals and foreign governments impersonating U.S. government agencies is real.”

Major global organisations, such as Microsoft, Google, Apple, Facebook and 6 of the top 10 U.S. Banks have already deployed DMARC using the Agari Email Trust Platform. Locally, the Australian Department of Human Services earlier this year led the way by implementing Agari to protect the Australian public from fake Centrelink and Medicare scams that had been on the rise.

CEO of Australian Agari partner, Infotrust, spoke of the trend:

“For years, organisations have tried and failed to deploy other protocols to lock down their domains. The problem has been visibility. DMARC has been a game changer – it’s been like turning a light on in a dark room.”

“For the first time, organisations get visibility into who is sending from their domains which enables confidence to lock down the domain with a “reject” policy without fear of business impacting loss of good email”.

CEO of Agari, said:

“Phishing, spear phishing and new Business Email Compromise (BEC) attacks use email to pose as government organisations or trusted brands and target the most vulnerable part of our defences: the human brain. In 95% of security breaches, cybercriminals use deceptive emails that trick users as the entry point into the organisation. The constant barrage of deceptive emails undermines trust in digital business and commerce, limiting growth. We have the technology and the open standards to eradicate phishing from Australia and around the world. It is incumbent on governments to lead by setting standards for cyber security and partner with private industry to achieve 100% adoption of DMARC. We are excited to have Infotrust, with their extensive email security expertise, leading this effort in Australia using Agari.”

Earlier this year Infotrust research of the Australian market found that very few organisations had deployed DMARC. In fact, only one ASX50 company has DMARC correctly configured with a reject policy.

Whilst overseas the story is very different, the proactive approach taken by the UK government has led to both the Public and Private sector adopting these controls to protect themselves and their customers.

“Locally, awareness is still low about DMARC. Many organisations are looking at SPF which has a number of inherent issues as explained in our blog which reduces its effectiveness. Infotrust is working hard to raise awareness and help solve the exponential email fraud problem”.