09 April 2019

Only 28 per cent of gov.uk domains have enabled email authentication protocol DMARC (Domain-based Message Authentication, Reporting and Conformance), in line with UK Government Digital Service (GDS) advice ahead of the retirement of the Government Secure Intranet (GSI) platform.

Security vendor Egress revealed a lack of preparation from several government email administrators in preparation for the domain migration, which left domain users open to phishing attacks and has forced departments to migrate to the public cloud.

The findings also contrast with central government departments, where the majority have implemented DMARC according to the National Cyber Security Centre (NCSC). DMARC is an important part of the NCSC’s active cyber defence initiative, which was set up to shield the UK from attacks. It provides an email validation system designed to detect and block email spoofing, which ensures that people can decide if a message has emanated from a legitimate sender or source. Fake emails claiming to be from the government, including non-ministerial departments like HMRC, have become a major problem in the fight against cybercrime. However, the DMARC protocol can help deal with these emails if it is adopted.

In addition, of the 28 per cent that had enabled DMARC at the time of the study, over half (53 per cent) set a policy to “do nothing” — which could effectively clear the way for business email compromise attacks and allow email buffering, while spam and phishing messages would populate recipient inboxes.

Egress said that would mean that a mere 14 per cent of government domains use DMARC effectively to stop phishing attacks. “It’s quite startling to see that so many public sector organisations have not yet enabled DMARC effectively and therefore cannot provide full assurance over their email network’s ability to withstand phishing attacks,” said Egress chief technology officer Neil Larkins. “With only one month left before the GSI framework is retired, it’s critical that organisations heed the advice laid out by GDS.”

Egress said it analysed more than 2,000 email domains.