Email Security

    Why Government Organizations Need DMARC

    Cybercriminals often spoof government email addresses. Enforcing DMARC can help governments protect citizens—and workers—from malicious email impersonation attempts.

    by Megan Doyle

    Key Points

    • Governments increasingly rely on email to communicate with citizens, but many government organizations still lack effective anti-spoofing measures.
    • Adopting DMARC can help prevent bad actors from impersonating government organizations in phishing email attacks that target citizens or government employees.
    • In addition to preventing cyberattacks, DMARC can also help safeguard trust in government communications.


    Governments increasingly communicate with citizens through email, and people must be able to trust government communications. But many government organizations have been slow to adopt anti-spoofing measures such as Domain-based Message Authentication, Reporting, and Conformance (DMARC), creating risks for their citizens—and for their own cybersecurity.

    DMARC is an open-source protocol that helps governments (and businesses) prevent criminals from spoofing their internet domains in phishing emails. By adding a DMARC record to their domain information, government organizations can make sure that only legitimate entities are sending information on their behalf.

    Cybercriminals Exploit Email Vulnerabilities

    Governments are seen as highly credible and vital resources. But with email’s openness and ease of use comes an inherent flaw: anyone can send an email that appears to be from any domain. Bad actors exploit that flaw to take advantage of the trust people have in their government—especially during times when citizens are on the lookout for authoritative information, such as tax season, near elections, or uncertain times like the COVID-19 pandemic.

    Criminals may spoof government organizations to:

    • Steal personal information from citizens and government employees
    • Conduct fraud
    • Deploy malware and ransomware
    • Influence elections or cast doubt on government authority

    How DMARC Helps Prevent Email Spoofing

    DMARC is an email authentication and reporting protocol that allows a government organization to achieve two key things. It can collect information on who is using its domains to send emails. And it can set a DMARC policy to protect the use of its domain. The DMARC policy tells other organizations’ email systems what to do when they receive fake emails that spoof the government’s domain: whether to report them but otherwise do nothing, move them to a spam folder, or reject them altogether.[1]

    When properly implemented, a DMARC reject policy can be highly effective at stopping phishing emails. For example, the U.K. Revenue & Customs department protected citizens from identity theft and fraud by stopping 300 million phishing attempts in 2016.[2]

    Some Governments Take Action

    Several countries have made DMARC implementation mandatory or recommended for national government organizations, including:

    • S. Binding Operational Directive 18-01. Published in 2017, this mandated that all federal government domains establish a DMARC reject policy within a year.[3]
    • The U.K. Government Digital Service (GDS) security guidelines. These guidelines were updated in 2016 to ensure all UK government domains publish a DMARC policy and set it to reject.[4]
    • Australia’s Malicious Email Mitigation Strategies. Includes guidelines recommending all organizations—federal or otherwise—establish a DMARC policy and set it to reject.[5]
    • The Netherlands’ Standardization Forum mandated that Dutch government organizations implement a DMARC reject policy by the end of 2019.[6]

    However, much of the public sector still lags behind—including local government organizations in many countries. According to a recent Mimecast global survey, 64% of public-sector organizations have not yet begun using DMARC.

    Many Local Government Governments Remain Vulnerable

    In the U.S., only a minority of government domains are federal domains, which are mandated to enforce a DMARC policy. Out of 6,154 U.S. government domains, 1,254 are federal government domains; the other 4,900 domains include state, city and other local government organizations.[7] This leaves widespread opportunity for bad actors to pose as those local government organizations in order to send phishing emails to unsuspecting citizens who may be:

    • Searching for healthcare insurance
    • Seeking state tax assistance
    • Looking to pay municipal utility bills
    • Trying to receive unemployment insurance benefits
    • Registering to vote
    • Renewing a driver’s license

    But government workers, from contractors to elected officials, can also be duped into opening emails that appear to be urgent messages sent from real government colleagues.[8] Verizon’s 2019 Data Breach Investigations Report found cyber espionage to be rampant in the public sector, potentially compromising troves of sensitive government data.[9] These attacks can be costly to remediate while damaging the government’s reputation.

    Steps to Implementing a DMARC Reject Policy

    Generally, organizations don’t implement a DMARC reject policy overnight. DMARC is designed to be introduced gradually, beginning with a “reporting-only” policy to help each organization discover every entity sending email on its behalf, legitimate or otherwise. Once an organization is certain it has identified all legitimate senders, it can move towards a policy that rejects all illegitimate senders. Without this gradual implementation, organizations risk having their legitimate emails blacklisted—which can be harmful for governments trying to get legitimate important information out to citizens and workers.

    In other words, the sooner governments start using DMARC, the sooner they’ll be able to stop bad actors from sending malicious spoofed emails. This can help governments minimize spam, protect users, and ultimately uphold their reputations as trusted sources.[10]

    The Bottom Line

    Email is an extremely powerful tool for helping governments communicate with their citizens. A strong DMARC policy is an effective anti-spoofing measure that helps ensure all emails sent on a government organization’s behalf are legitimate—solving one key piece of the giant cybersecurity puzzle.


    [1]Domain-Based Message Authentication, Reporting and Conformance,” DHS CISA Cyber Infrastructure

    [2]Combating phishing – a (very) big milestone,” HMRC digital blog

    [3]Binding Operational Directive 18-01,” Department of Homeland Security

    [4] “Updating our security guidelines for digital services,” GOV.UK Blog

    [5]Malicious Email Mitigation Strategies,” Australian Cyber Centre



    [8]Domain-Based Message Authentication, Reporting and Conformance,” DHS CISA Cyber Infrastructure

    [9] 2019 Data Breach Investigations Report, Verizon

    [10]Binding Operational Directive 18-01,” Department of Homeland Security


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page