The NCSC's Mail Check service helps public sector email administrators improve and maintain the security of their email domains by preventing spoof email.
In this blog I want to update you with a few facts and figures on the progress we've made protecting public sector email.
I also want to mention a few upcoming features and give a brief plug for the service as a helping hand for public sector bodies looking to comply with the Minimum Cyber Security Standard.
Central Government roll-out
Mail Check works by assessing an email server's configuration and providing guidance on the implementation of various email security protocols, most notably, Domain Messaging Authentication Reporting and Conformance (DMARC).
Since earlier this year, Mail Check has been available to the public sector, but in these early stages we've had a particular focus on central government. The service helps users get a clear picture of how secure their email configuration is at the moment, but perhaps more importantly, we've also been showing how organisations can improve and maintain their security posture.
Security in numbers
It's worth noting that we can actually show Mail Check making a difference, helping government departments achieve a more secure DMARC configuration.
The diagram below shows the situation before and after Mail Check. Less blue is better
Source: DMARC policies for a subset of .gov.uk domains.
The charts above show that gov.uk domains using Mail Check are much more likely to reach a DMARC policy of ‘reject’ or ‘quarantine' (blocking). One of these two is required to protect recipients from spoofed email from domains.
Mail Check adoption
Though we can demonstrate positive results from the use of Mail Check, there are still plenty of other public sector bodies to be brought on board.
Since February 2018:
User numbers have grown from 17 to just under 1000, with more coming on board each day
89% of central government departments are now using Mail Check
77% of these have implemented at least a basic DMARC policy
Whilst we've prioritised central government thus far, we'll be expanding our focus to better support local government too in the coming months.
DMARC - You've got to have standards
Recently, the government released the Minimum Cyber Security Standard. This details expected standards for cyber security in government departments. The document talks of outcomes, such as 'taking steps to detect common cyber attacks' and for government, achievement of these outcomes is expected.
One of the standards covered is DMARC, and here comes my plug: Mail Check will simplify adoption and tuning of this important standard.
Get started in just one step
It's simple and risk-free to get started with DMARC. A DMARC policy of ‘none’ is used purely for monitoring, it makes no changes to email flow but gives domain owners the information needed to adjust their SPF and DKIM configurations, until all legitimate mail senders are properly authenticated. At this point you can begin updating your configuration to improve deliverability of genuine email whilst stopping spoofed email reaching end users.
Implementing DMARC on your non-email sending domains - such as legacy domains or those you have defensively registered - is of equal importance, and should be carried out in parallel with the implementation on your email sending domains. Just because you know that you don't send email from those domains, doesn't mean that 'victims' don't.
Sign up here
Mail Check's original focus was the DMARC protocol, but we've been busy extending the functionality of the service, introducing DKIM analysis, and testing email server configuration for Transport Layer Security (TLS). And there are more features in the pipeline following our ongoing user research.
If you have a public-sector email address you can sign up for an NCSC account and access the service.
If you do not have an email address accepted by the service but believe you should have access, get in touch with us at firstname.lastname@example.org
For further information on Mail Check and DMARC, check out our video below.
Head of Rollout, Mail Check