Govt agencies lagging on adopting of key email defence to cyber attacks

New Zealand Government domains are the least likely in Australasia to be protected from email-borne cyber attacks like spoofs and phishing scams, according to email security specialist SMX.

The company’s latest study looking at DMARC (Domain-based Message Authentication, Reporting and Conformance) uptake found that Australia’s Federal agencies are far ahead of their New Zealand counterpoints in actively using the authentication technology to quarantine or reject spoofed emails. According to SMX, “90% of cyber attacks emanate from email” and DMARC has emerged as a key defence against them.

Only 33.1% New Zealand Government agencies have DMARC running in enforcement mode, up from 21.1% in 2022. In contrast, 79% of Australian Government agencies have deployed DMARC, up from 62.31% in 2022. SMX used publicly available DNS records in May and June 2024 to identify whether DMARC was deployed and its status in either reporting or enforcement mode.

Our large private companies perform better - nearly two-thirds (64%) of our 100 largest companies by employees have deployed DMARC, compared to 47.4% of ASX-listed companies.

The difference between the reporting and enforcement modes of the protocol is crucial. In reporting mode, IT managers are notified in automatically generated reports about emails sent to their servers that failed DMARC authentication, the sources of these emails, and often, parts of the content. They also get reports of any emails sent from their servers that fail authentication when they reach the servers of other organisations running DMARC.

Enforcement mode involves active measures to block or quarantine emails designed to spoof legitimate domains. DMARC is a two-way street. While an organisation can protect its employees from falling for bogus emails, deploying DMARC in enforcement mode “protects the people and organisations you do business with, ensuring they continue to trust emails from your domain,” says Jamie Callaghan, SMX’s Chief Security Officer. 

Slow to move to enforcement

SMX says that DMARC, a protocol that’s now been available for around a decade, is the subject of government mandates and industry best practice advice around the world, yet organisations have been slow to implement it, which SMX puts down to a lack of awareness of DMARC’s benefits to an organisation, and a lack of skills to enforce DMARC successfully, without disrupting email workflow.

That is starting to change as major tech companies embrace DMARC’s use.

“Since February 2024, new Google mandates have required DMARC deployment from organisations that send over 5,000 daily emails to Gmail accounts,” the SMX DMARC survey notes.

“As of April 2024, Google started rejecting emails from domains without the standard, but it doesn’t require enforcement. This means many businesses are simply deploying DMARC and not moving to enforcement. This serves Google’s purpose of better protecting its users, but it means businesses are missing out on broad benefits. These include reducing the risks of phishing attacks, jumping on spoofed domains, and protecting brand reputations.”

The 2024 SMX DMARC Survey key findings include:

Organisations with DMARC deployed in ‘enforcement’ mode:

• 33.1% New Zealand Government agencies (21.1% in 2022)

• 78.88% Australian Federal Government agencies (62.31% in 2022)

• 64% New Zealand’s 100 largest companies by employees (47% in 2022)

• 47.43% ASX-listed organisations (44.74% in 2022)

• 47.64% companies sending to SMX customers (37.83 % in 2022)

• 43.5% SMX customers (34.2% in 2022)

Organisations with DMARC deployed in ‘report only’ mode:

• 79.9% New Zealand Government agencies (50.5% in 2022)

• 92.0% Australian Federal Government agencies (74.3% in 2022)

• 80.0% New Zealand’s 100 largest companies by employees (59.6%, 2022) 

• 59.9% ASX-listed companies (29.5% in 2022)

• 45.9% companies sending to SMX customers (4.7% in 2022)

• 32.4% SMX customers (14.2% in 2022)

Jamie Callaghan, SMX’s Chief Security Officer, delves further into the issues surrounding DMARC uptake in this Tech Blog Q&A.

What do you think explains the significant gap between NZ and Australian government departments when it comes to deploying DMARC in enforcement mode?

“Australian Federal Government agencies have had a head start; they clearly identified the risk and decided to educate the Government sector early on the topic. The Australian Signals Directorate (ASD) also issued guidance on DMARC a number of years earlier than New Zealand.

“However, New Zealand’s ISM (Information Security Manual) mandated DMARC enforcement late 2022, with version 3.6. Enforcement of DMARC policy takes some experience and skill. The Australian approach has been focussed on education and building skills to implement the policy effectively.

“Similarly, it is likely NZ Government set DMARC to ‘recommended’ as opposed to ‘mandate’ in order to have NZ Government and enterprise prepare for the ‘mandated’ status  

“In our most recent DMARC report, Australian Federal agencies were shown as leading adoption compared to NZ central and local government agencies. The well-resourced IT skill set that supports Federal agencies is likely to be a contributing factor in adoption.

 “SMX know from experience that there is a lack of  scale in cyber security skills across the NZ IT industry able to support the implementation of a complex security policy like DMARC at scale.”

Is there evidence to suggest NZ government departments are currently being targeted in email-borne cyber attacks to a greater degree as a result of this disparity?

“There is no evidence suggesting NZ Government departments are currently being targeted to any greater extent, however this is difficult to measure and would in many cases not show up until after the fact.  

“However any organisation, whether corporate or government, is at greater risk of being targeted and falling fowl of email-borne cyber attacks to a greater extent if DMARC enforcement is not in place.

What would spur adoption? Does New Zealand need something like the US Department of Homeland Security's Binding Operational Directive (BOD) 18-01 to require uptake among government departments?

“Yes, similar. It’s time for NZ Government agencies to start to lead the conversation through their procurement and supply chain teams, with partner/suppliers. 

“Education: NZ Government agencies have the opportunity to ensure they are promoting and considering email security when they select suppliers to work with and that their suppliers are supporting improvements in email security right through the chain.

“Enforcement is also important, The NZ Government recently updated its DMARC order, through an NZISM recommendation to ‘mandatory’, and it is the adoption following this order that we are focussed on in the latest SMX study.

“Interestingly, SMX noticed a significant change in our clients attitude to DMARC when recent sender guidelines were issued by Google that they would only handle bulk email campaigns if DMARC policy had been implemented (even just to ‘reporting’ status).

“These changes by email platforms like Google have gone a long way to raise awareness and drive adoption of DMARC.

“What New Zealand needs to see now, is more Government agencies leading the transition from DMARC reporting to enforcement.

“SMX believe further collaboration between Government and private sector organisations (i.e the end to end supply chain)  with their technology partners would help accelerate this transition.”