Why Should State and Local Governments Use DMARC?

Why Should State and Local Governments Use DMARC?

The protocol can assist government agencies in improving email security and building trust with residents and the private sector.

As shown by a recent attack on Missouri's state government, humble email systems remain an attack vector for malicious cyberattacks on state and local governments.


Thousands of domains at the state and local level — three times the number of federal domains — could benefit from the protection and benefits of email authentication. However, almost no state and local governments are making use of authentication standards that could help improve email security, especially against phishing attacks.


Currently, less than 1% of state and local government domains (and none of the primary.gov and.us domains in the United States) are properly secured against impersonation by using the leading email authentication standard, Domain-based Message Authentication, Reporting, and Conformance, or DMARC.


One-third of all state and local governments are attacked on a daily basis, while another half is targeted hourly.

“We believe that as the owner of a domain for a state or federal agency, you have a duty to protect user information,” he says. “If you haven't even locked down your email, it's difficult for states, municipalities, and local utilities to comply with PII or GDPR guidelines.”

Adopting DMARC not only enhances security but improves trust with residents and private sector companies that deal with the state or local government


What Is DMARC and How Can It Help State and Local Governments?

The industry standard DMARC is an email authentication policy and reporting protocol that is designed to prevent email spoofing, which is the foundation of phishing when malicious actors impersonate legitimate email senders to bait internal employees or deceive people outside an organization. DMARC was finalized in 2015 by contributors such as Google, Yahoo, Mail.Ru, JPMorgan Chase, and Symantec as parts of the Trusted Domain Project.

To improve and monitor domain protection from fraudulent email, DMARC “builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (From:) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders,” as according DMARC.org. Setting a DMARC policy of "reject" gives agencies the "strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery," according to the US Department of Homeland Security.


How Public-Sector Officials Can Enhance Email Security

There are several reasons why state and local government adoption of DMARC may be low, especially compared to the federal government

In fact, state and local government CIOs and CISOs are unaware of the dangers presented by email and how easy it is to spoof emails. They believe that their emails are secure, but this is impossible until domains are authenticated.

Another reason for low adoption is the risk of blocking "good" emails in order to prevent "bad" ones from getting through.

DMARC assists organizations in avoiding email attacks and malicious actors from impersonating official domains. As a result, “people now trust your emails,” This is especially essential for government organizations that rely on residents and businesses to trust their communications in order to respond to notifications and file tax returns, for example.

Agency IT leaders can work with a number of suppliers to see if their domains are DMARC-compliant and how much of their email traffic is fraudulent. This then aids IT executives in deciding which domains need to be secured and locked down first. Those are usually the ones that deal with personally identifiable information.

Once DMARC is activated, it instructs any gateway, anywhere in the world, to send a report to the domain owner or anyone the domain owner authorizes. Such reports then show what is going on with the domain, such as if valid emails are getting through or whether malicious emails are being blocked.


Published by Pintu Bhatt

Comment here...

Login / Sign up for adding comments.