Trust is a critical component of democracy and vital to the relationship between the modern state and its citizens. In South Africa, millions of citizens depend on the state for social grants and a range of essential services they trust the government to provide.

By Moss Gondwe, public sector lead for South Africa at Mimecast

Protecting the integrity of government communications is essential to maintaining trust between citizens and their government. Citizens need to feel safe in the knowledge that the information they are receiving is from a genuine public sector institution.

If malicious actors were to trick grant recipients with fake emails after hijacking a government email domain, it could have a devastating impact on the lives of millions, and cause severe damage to the relationship between the state and the public. The same holds true for any government service.

Over the past decade, governments have increasingly used digital platforms to communicate with citizens, with email emerging as one of the most critical channels. However, many government organisations have been slow to implement the necessary security controls that would help ensure their email communication is safe and secure.

Domain-based Message Authentication, Reporting and Conformance, or DMARC for short, is one such control, that helps prevent bad actors from impersonating government organisations in phishing email attacks. DMARC is an email validation system that detects when someone is using an organisation’s domain without authorisation.

By adding a DMARC record to their domain information, government organisations can make sure that only legitimate entities are sending information on their behalf.

Formalising DMARC’s use through policy

Several countries have introduced policies and legislation to make DMARC a compulsory or at least a recommended component of their public sector cybersecurity strategies.

Since October 2016, the UK government has required all government departments operating under the domain to have DMARC in place, and that each department has the strongest policy as the default.

Shortly after the UK implemented its policy, the US Department of Homeland Security issued Binding Operational Directive 18-01, which includes a requirement for government domains to implement DMARC.

Other countries, including New Zealand, Australia, and the Netherlands have implemented policies and guidelines for the use of DMARC in both the public and private sectors. Citizens in these countries can interact with their government safely and with the full confidence that the person or institution they are engaging with is authentic.

DMARC adoption widespread despite lack of policy

South Africa is lagging behind in formalising DMARC as a legal requirement for public and private sector emails, with no clear policy in this regard.

That does not mean South African organisations are not using DMARC to protect their email domains. Mimecast’s State of Email Security 2023 report found that 93% of South African organisations are using or plan to use DMARC to thwart email spoofing. Thirty-eight percent of South African companies have already deployed it, the second-highest rate of all 13 markets that were surveyed.

The rush to secure email from spoofing attacks points to pervasive cyber risks affecting the world’s most popular business communication channel. Email usage has risen at 86% of local companies over the past year, with 68% reporting an increase in email-based threats.

Nearly nine in 10 South African organisations (88%) said they were made aware of attempts to misappropriate their email domains in the past year, with 48% reporting an increase in such attempts.

Practical steps for adding DMARC to a security stack

The volatile threat landscape and global trend toward making DMARC a compulsory aspect of cybersecurity strategies in many countries may see South Africa develop a new policy aimed at strengthening email resilience among public and private sector organisations. However, implementing DMARC is not an overnight activity.

Organisations that have not yet adopted DMARC should start by taking note of a few top considerations.

* Implement a ‘reporting-only’ policy to uncover all legitimate email senders. This will help organisations discover every entity that is using their email domains to send email, whether that use is legitimate or not. Once it’s clear who the legitimate senders are, develop a policy that rejects all illegitimate senders. When companies implement strict DMARC policies in a rush, they risk blacklisting legitimate emails. This could lead to important emails not reaching their recipients, which could cause major damage in the case of government departments needing to share vital information with citizens.

* Understand that DMARC is not a standalone solution. DMARC allows organisations to halt the fraudulent use of email domains, but a brand exploit protection tool is a necessary addition to prevent the use of lookalike web domains in phishing attacks. When combined, these tools help prevent a brand from being impersonated and enhance the organisation’s overall security posture. Ultimately, it’s about organisations protecting people, whether they are customers, employees, or in the case of the public sector, citizens.

* Understanding how DMARC integrates into and supports an organisation’s broader cybersecurity ecosystem is essential to unlocking its true value. It’s important to work with expert providers that understand the intricacies of DMARC and can help keep email domains safe with minimal impact on all end-users.

While brand protection measures like DMARC are an essential building block of a well-defined security strategy, they need to integrate into a broader cybersecurity ecosystem to ensure end-users trust the digital environment where they are interacting with an organisation. Importantly, regular awareness training and creating a cyber aware culture, is essential in helping organisations protect all the people in their digital network.

The use of email is only expected to grow, especially as a channel between government departments and citizens. Threat actors know this and are constantly refining their impersonation attacks, making it harder for individuals to distinguish a legitimate email from a fake one.

However, by following a growing global best practice trend of using DMARC to secure email domains, organisations in the public and private sectors can help protect their customers, citizens and other stakeholders from the reaches of the global cybercrime industry.