SC Media wonders why more organisations (including the DHS) haven’t discovered DMARC, a proven anti-phishing protection against sending spoofed emails?
UK government agencies have been rolling out Domain-based Message Authentication, Reporting & Conformance (DMARC) for more than a year now. Indeed, SC Media UK gave Ed Tucker from HMRC the best CISO award for his role in helping to eliminate spoofed tax emails purporting to be from HMRC using the DMARC protocol. DMARC simply determines those servers that are authorised to send messages on behalf of an organisation, and any that fail its checks by spoofing an @hmrc.gov.co.uk address don’t get delivered.
How successful has this been? Well HMRC reckon the number of spoofed emails has dropped from 500 million before the introduction of DMARC, to less than 200 million now. OK, so it’s not a cure-all, but it sure is a security tonic. The Cabinet Office Government Digital Services (GDS) mandated for compulsory DMARC adoption by all .gov address by October 2016. So what’s holding the US government back, and other businesses on this side of the pond for that matter? SC Media has been investigating.