Parliament increasing its security posture – rolls out DMARC
Summary
- A change in email authentication is coming to Australia’s federal parliament.
- It’s intended to restrict the ability of spammers and malware authors to successfully send emails on behalf of the aph.gov.au domain.
- It will force some legitimate users to adopt different email domains.
As reported in IT News and other sites, the Australian federal parliament is about to clamp down on the unauthorised and near-unauthorised use of its aph.gov.au domain.
As President of the Senate, Slade Brockman explained in senate estimates hearings, DMARC will be introduced in early December to protect the email domain by “blocking emails generated by third-party distribution services”.
“These security changes mean that, from December 6 2021, emails generated by third parties using aph.gov.au address(es) will not be delivered,” Brockman said.
What does that mean and how does DMARC work?
The network security activity is being undertaken to prevent scammers and nation state interests alike from being able to fool users into thinking that an email they’ve received is genuinely from someone on the inside of the aph.gov.au domain. False credibility is the primary tactic used at the front end of many cyberattacks.
Domain-based Message Authentication, Reporting, and Conformance, or DMARC, is a technical specification that protects email senders and receivers from spam, spoofing, and phishing. DMARC allows an organization to establish an authentication policy that receiving mail servers should follow. When an email from a particular domain is received, a test is run behind the scenes to verify that it is genuine. If the email fails the test, the published policy serves as a guideline for determining what happens to the message.
What are the options for messages that fail validation?
The DMARC specification provides three choices for domain owners to use to specify their preferred treatment of mail that fails DMARC validation checks. They are:
- none – This setting is disabled by default. When enabled, it causes all mail to be screened according on the message’s DMARC validation status. If you have no settings for this policy, treat the email as if it were sent without any DMARC validation.
- quarantine: accept the email but do not place it in the recipient’s inbox. Usually, it is placed in the spam folder.
- reject: refuse to receive the message
Keep in mind that the domain owner can only request, not force, enforcement of its DMARC record; it’s up to the inbound mail server to determine whether or not to accept the requested policy.
What will this mean for those with malicious intent?
Brockman said DMARC is “critical to preventing cyber criminals impersonating our official site to send phishing emails to constituents and clients”.
That means there will be higher degree of protection preventing fake emails being sent to recipients purporting to be from an official in parliament, both inside and outside the organisation.
What other consequences will it have?
Elected members and their staff that use third-party distribution services have already been told that they will need to create a new email domain to continue sending emails using the same platforms.
This means using services like Mailjet and MailChimp won’t be able to act on behalf of aph.gov.au when sending email. The users will have to create a new domain within the .gov.au namespace or outside it to send their emails.
How will security be better?
“Email is the single most vulnerable pathway to compromise IT systems, and a compromise to the parliament network has significant ramifications for the […] Commonwealth,” Brockman added. Strengthening the security posture of the APH email system will reduce the risk of compromise.
What does DMARC mean for your organisation?
If you run a business that sends commercial or transactional email, you’ll need to use one or more forms of email authentication to ensure that the message is from you and not a spammer. DMARC configuration is crucial for receiving servers to figure out how to evaluate messages claiming to come from your domain, and it’s one of the most essential steps you can take to boost your delivery.
Final note: Computer One has many tools to combat cybercrime, from reducing the amount of time your staff have to wade through illegitimate emails through to finding and ejecting an attacker that has already made it past your network defences.
Let’s talk about how we can support you.
