Today we’ve added new guidance to our website, advising on two aspects of email security: the protection of email traffic as it passes between servers and anti-spoofing controls.
The guidance is intended to help IT teams verify that appropriate email security controls are in place and correctly configured on their domains. The guidance comes in two parts, the first giving top level recommendations and the second, technical implementation advice for administrators.
Lessons from the public sector
Email spoofing is a technique used by criminals in support of phishing campaigns or more targeted attempts to breach an organisation. The adversary’s aim of sending a spoofed email is normally to trick a user into visiting a website to divulge information or infect their device with malware.
In the UK public sector we’ve been working hard to implement anti-spoofing controls on our domains. Many other organisations have followed in the footsteps of HMRC in adopting controls like SPF, DKIM and DMARC, and as a result it’s getting more difficult to spoof an email from their domains. We’ve still got a long way to go to implement these controls on all of our domains. It’s likely to be months if not years before I’m fully satisfied, but it’s great to reference the many good examples from the public sector when talking to colleagues from industry.
As well as implementing anti-spoofing controls there has been an increase in support for TLS on the email servers used by the public sector. The vast majority of public sector email servers now support the reception of email using TLS, and we’ll be helping organisations responsible for those that don’t put that right.
Let us know what you think
The advice we are publishing today is derived from some of the lessons we’ve learned in the public sector. Our friends at the Government Digital Service have helped us distill this into something that should be useful for many other sectors. We want to keep this guidance current and accurate, and as part of that we’re keen to learn from your experience too. So, if you have any feedback, please feel free to comment below or send us your feedback.
Source: National Cyber Security Centre