New Email Security Requirements
What local governments should know
Just this week, the city of Atlanta experienced a ransomware attack, disrupting some of the city’s customer facing applications. This is a reminder that local government and small businesses should all take cybersecurity seriously. The U.S. government has taken steps toward safer federal websites and email protocol, protocol that would also benefit state and local governments and business owners.
In October of 2017, the U.S. Department of Homeland Security issued new requirements for all government agency domains – BOD 18-01 “Enhance Email and Web Security”. As of January 15, 2018, government agency domains are required to have Sender Policy Framework (SPF) and Domain-based Message authentication, Reporting and Conformance (DMARC) records in place. These tools help to eliminate email impersonation, reducing phishing scams and fraud.
What is Sender Policy Framework?
Sender Policy Framework (SPF) tells servers which servers are allowed to send email on behalf of the specified domain. DomainKeys, Identified Mail (DKIM) is a signature verifying the email server. Think of this as a watermark for email. In theory, using SPF and DKIM together means that anything sent from non-specified servers can more easily be blocked or marked as spam. SPF protected email is a less appealing target for phishers, but there is no guarantee that some spoofed emails will slip through the cracks.
What is Domain-based Message Authentication, Reporting, and Conformance?
Domain-based Message Authentication, Reporting, and Conformance, widely known as DMARC, builds on SPF. Once an email is flagged as spam, DMARC tells the receiving server what should be done with the message. Senders and receivers can work together to report and confirm spoofed emails.
People assume the government is sending legitimate information, which makes them the perfect target for phishing scams. Government officials and security leaders are responsible for understanding and implementing these security measures.
Securing your email
Implementing SPF and DMARC doesn’t have to be costly. As a matter of fact, if you have email with CourseVector, both SPF and DKIM are already used.
Remember that these are not fool-proof measures. Hackers can still gain access to government email and exploit an authorized sender. Having strong passwords can help to limit access to the inbox.
Finally, local government and businesses should have policies in place to ensure user security, educate staff, and foster an overall culture of security in the office. Any and all suspicious activity should be reported to IT immediately. If CourseVector hosts your emails, please feel free to reach out to us if you have any questions or concerns.
For an overview of the Department of Homeland Security’s Binding Operational Directive 18-01, “Enhance Email and Web Security” requirements, review the checklist.