Government Digital Service (GDS), part of the United Kingdom’s Cabinet Office, is requiring that other government departments adopt DMARC and HTTPS/HSTS to protect their online services by October 1st, 2016. This includes making the strongest DMARC policy (“p=reject”) the default for email services at that time. This will apply to all services operating under the service.gov.uk domain, according to this announcement published Tuesday. GDS strongly recommends the use of DMARC for all email, but this marks the first time it has been made mandatory – and may be the first step in requiring it for all UK government email.
DMARC.org executive director Steven M. Jones met with representatives from GDS in April. “The people I met with [at GDS] understand the importance of both taking measures to protect the online services government provides, and of letting their citizens see and have confidence that they have done so. They’re dedicated professionals who will help other departments improve the security of their operations, and I think they benefit from the on-going work being done at Her Majesty’s Revenue and Customs (HMRC).”
HMRC, often compared to the US Internal Revenue Service, has embraced and promoted the use of email authentication for several years. HMRC’s head of cyber security, Ed Tucker, has spoken at many events on the benefits and challenges of deploying technologies like DKIM, SPF and DMARC – while being the most phished organization in the UK. Mr. Tucker has said that these protocols, “represent the cornerstone of technical controls that senders can implement today to rebuild trust and retake the email channel.”