As of Jan. 15, all government agency domains are required to have Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) records in place, according to an October 2017 order issued by the U.S. Department of Homeland Security — a major step in governmentwide cybersecurity.
SPF is a way of authenticating an email sender and detecting spoofing. Incoming emails are checked to ensure that they’re from a system authorized to send for that domain. If someone tries to spoof the “from” address, then the email is flagged.
DMARC uses SPF DomainKeys Identified Mail — a sender authentication standard omitted from the DHS directive — to leverage security and define how receiving mail systems authenticate a message and respond if that message fails authentication. DMARC also allows organizations to request reporting data on these authentication checks, which helps prevent spoofing while ensuring that important emails don’t get diverted.
Ultimately, security leaders must understand these changes to communicate what they are to their organizations and the people affected.
Explaining email security in plain English
For anyone not well-versed in email security, SPF and DMARC may seem foreign, but a comparison to the U.S. Postal Service can simplify them.
SPF is like verifying a letter’s sender by verifying that the post office seal on that letter matches the town of the sender’s address. While it’s true a sender could send a letter from a different post office, the receiver could spot that different mailing address and treat the letter as suspicious. SPF is the authentication that confirms an email is coming from a .gov email server.
DMARC, on the other hand, is a way for federal agencies to tell the receiver what to do if the email was not sent from an official .gov server. It also provides a way for agencies to ask the receiver for information on the messages they receive so that they can see whether they are being spoofed.
In our post office analogy, DMARC would be the equivalent to publishing in the phone book the rules on what to do if the post office seal does not match the designated mailing address town: Should a user treat it as suspicious, quarantining it until it’s reviewed by an officer, or should she throw it in the trash? The phone book would also include a mailing address the receiver could use to send a user information about received letters and whether the authentication check passed.
Most important is how much email sender authentication — and the way SPF and DMARC fit into that — combats a major threat to government agencies and the citizens they serve. People assume .gov emails have a certain legitimacy, which makes impersonating the federal government — like the ongoing IRS scam — a common fraud tactic. These tools, however, help eliminate that impersonation. When PayPal put them in place, for example, fraud dropped by 70 percent.
Taking the next steps in email security
Implementing SPF and DMARC are essential first steps for thwarting scammers and protecting government emails. But to ensure that email traffic is entirely legitimate in an increasingly precarious cybersecurity landscape, government agencies must take additional steps.
Cybersecurity standards are now in place at the federal level but, in many cases, not at the state or local level. Until every government entity begins working with authorized senders, the risk of cyberthreats will remain high. Plus, if agencies working below the federal level are not identified as authorized senders, then the important emails they send up the ladder could end up quarantined, disrupting communications.
These new standards also don’t help when someone manages to hack into a government inbox and exploit an authorized sender. Focusing on inbound and outbound traffic is important, but restricting access to the inbox itself is equally important. Finally, users themselves are a vital resource in email security. Putting policies in place to bolster users’ security, orchestrating education and training efforts, and securing buy-in from users all ensure that email security is a top priority.
Federal agencies are headed in the right direction. There’s still some road to go, but if the momentum continues, then fake and malicious “government” emails could become a cyberthreat of the past.
David Wagner serves as the president and chief executive officer of email security company Zix and previously held leadership roles at Entrust for 20 years. With his IT security and leadership background, David offers a business perspective that enables company leaders to better understand evolving cyberattacks and prepare for future threats.