In Dr. Ian Levy's recent blog about Active Cyber Defence, he set out the NCSC's ambition to "make email mean something again".
The first objective of this campaign to improve confidence in the authenticity of emails, is to tackle the abuse of UK public sector domains in phishing campaigns. When a citizen receives an email from a public sector domain - such as a domain ending in .gov.uk or .police.uk - we want citizens to be confident that it's authentic.
This won't be an easy thing to do. But by applying anti-spoofing mitigations across all UK public sector domain names, we will make it much harder for criminals to spoof them.
Phishing attacks routinely abuse public sector domains to trick victims into clicking a link within an email (or opening an attachment) that results in their device being attacked. Often these phishing emails 'spoof' the sender's address so they appear to originate from a public sector organisation with a well-known and trustworthy brand (such as hmrc.gov.uk). However, there are simple mitigations that public sector domain owners can put in place to make spoofing much harder.
For example, by setting DMARC, SPF, and DKIM records in DNS, it's possible to tell email service providers which servers on the Internet should be legitimately sending email from your domain, and what action to take with mail received from any others:
- Sender Policy Framework (SPF) is used to specify legitimate locations of servers which can send email for your domain
- DomainKeys Identified Mail (DKIM) isn't supported by all mail servers, but if it is, it can be used to cryptographically sign outgoing mail sent by your servers to give email service providers further confidence that it's legitimate
- Domain Message Authentication Reporting & Conformance (DMARC) is used to inform email service providers what action they should take if SPF or DKIM validation fails
One important aspect of DMARC is the action you ask email service providers to take when SPF or DKIM validation fails:
- a policy of p=none means that they should allow non-compliant emails to be delivered but report the failure to you
- a policy of p=quarantine requests that they mark the email as spam
- a policy of p=reject asks the email service provider not to deliver the email at all
Most organisations start with a policy of p=none, then work their way up to p=reject as they gain confidence in the accuracy of their configuration.
Adoption in the public sector so far
At the moment, these mitigations are only used across fewer than 5% of public sector domains. But we're on a mission to change that. Earlier this year, we worked with GDS to produce a standard for securing government email that was endorsed by the Technology Leaders Network. Adopting this standard will help public sector organisations create sensible DNS records to implement these protocols.
There have also been some great success stories within several organisations who are already adopting these protocols. In summer GDS updated their guidance to digital service managers to include the need for DMARC to be implemented. And last week HMRC set their DMARC policy on hmrc.gov.uk to be p=reject. If an organisation with the scale, complexity and delivery requirements of HMRC can get to p=reject , then we believe that any other public sector organisation should be able to. We look forward to many more organisations following their lead.
Our centralised analysis service
For public sector organisations, the email security guidance asks public sector organisations to send a copy of their reports to dmarc.service.gov.uk. We're using these reports to help track the public sector's effectiveness at stopping phishing of our brands and to ensure we identify prolific abuse of the domains of multiple organisations.
As of today, dmarc.service.gov.uk is currently receiving DMARC reports for over 100 .gov.uk domains and more are coming on board every week. The service has helped us notify departments of phishing campaigns or misconfigurations on their domains. The first large phishing campaign we identified was being spoofed from email@example.com. Working with GDS to first set a DMARC record with a policy of p=none we were able to identify the phishing campaign, and through moving to p=reject we were able to prevent emails from being delivered to the intended victims. The firstname.lastname@example.org campaign stopped shortly afterwards, presumably because it was no longer being successful.
If you look after a public sector domain, such as those ending in .gov.uk, .nhs.uk or .police.uk, then we would encourage you to follow the guidance on security government email and configuring your DMARC records. We've also worked with GDS on a great tool to help you verify your compliance with the standard - that's called domaininformation.service.gov.uk. If you are responsible for public sector domains you can request an account.
If you work in the public sector and need advice on configuring your DMARC records then please get in touch with us at email@example.com.
Chief Architect, NCSC