Only 28% of Gov.uk Domains Support DMARC

Only around a quarter of the UK government’s gov.uk domains have been set up to support an industry best practice email validation system, despite the imminent retirement of a previous public sector domain platform, according to Egress. The security vendor found that just 28% of gov.uk domains have enabled Domain-based Message Authentication, Reporting and Conformance (DMARC), which helps to prevent certain spam and phishing attacks. The vendor ran its tests just a few weeks before the Government Secure Intranet (GSI) platform is to be switched off this month, forcing departments to migrate to the public cloud. This means the vast majority are not currently following the minimum standards suggested by the UK Government Digital Service (GDS) for email authentication. Even worse, of the 28% that had enabled DMARC at the time of the study, over half (53%) set a policy to “do nothing” — which would effectively let through Business Email Compromise (BEC) attacks and allow email buffering, while spam and phishing messages would be allowed into recipients’ inboxes. This means that in reality, only 14% of government domains are using DMARC effectively to stop phishing attacks, Egress warned.