UK Government Agencies Leading the Way in DMARC Protection

Brexit isn’t the only big news coming out of the UK government this week. Yesterday, Britain’s Government Digital Service (GDS) announced a big email security update: all agencies running on the sub-domain will be required to publish a DMARC (Domain-based Message Authentication Reporting & Conformance) policy.

By October 1, 2016, agencies must set this DMARC policy to the highest level, p=reject, which blocks all messages that do not pass authentication before they get to the inbox. As a temporary measure only, GDS says, teams can implement a DMARC monitor, or “p=none”, policy.


By implementing DMARC, UK government agencies will block any malicious messages spoofing domains. In other words, cyber criminals will no longer be able to use domains to trick unsuspecting citizens or government employees.

This is good news, considering the fact that the UK, according to Symantec’s annual Internet Security Threat Report, is the world’s most targeted nation for phishing scams and ransomware. And government targets are traditionally some of the most fruitful for fraudsters.

Not only does government phishing compromise the security of sensitive agencies, it also puts citizens at serious risk. Last year, for example, hackers targeted the US Internal Revenue Service, gaining access to the tax returns of more than 300,000 people.

DMARC will become a universal requirement

We expect that in the near future, DMARC will become a requirement at companies across industries and governments around the world. Right now, too many companies rely on users as their first line of defense against email fraud. By automatically blocking bad email before it reaches the inbox, DMARC removes user guesswork from the equation.

The risks of swift DMARC policy implementation

A DMARC monitor, or “p=none” policy, gives you the feedback loop you need to see what email is authenticating, what email is not, and why. Once you clean up your authentication on all of your sending domains, you can safely move to “p=reject” and block only the malicious messages.

If you implement DMARC reject policy before all of your mail is authenticating properly, however, your unauthenticated messages won’t just be at risk of getting flagged as suspicious—you’ll actually be instructing mailbox providers to reject these messages outright.

For example, has implemented a p=quarantine policy (v=DMARC1;p=quarantine;sp=none;adkim=s;aspf=s;fo=1;rua=mailto:[email protected]). However the record has a number of errors which have implications on how mailbox providers will interpret the policy:

  • Error: No spaces after each semicolon
    • Implication: The risk is that some ISPs rely on the semi-colon, the space, or both to denote the end of one tag value and the beginning of the next.
  • Against best practice: p=quarantine but with no Forensic reporting
    • Implication: Emails could be blocked, and they will know the quantities from Aggregate reports but without Forensic reports, it will be very difficult to diagnose issues.
  • Against best practice: DKIM & SPF alignment is set to Strict
    • Implication: This does not always provide more security, rather more opportunities for authentication failures as it asks for the MFrom and the DKIM domains to match the Header From exactly.



How to implement DMARC the right way

The correct way to implement a “p=reject” policy is shown in the policy below from Her Majesty’s Revenue & Customs (HMRC):



As the third most exploited brand by cybercriminals in phishing attacks (Malcovery), HMRC has embraced and promoted the use of email authentication for several years. HMRC’s head of cyber security, Ed Tucker, has spoken at many events with Return Path on the benefits and challenges of deploying technologies like DKIM, SPF and DMARC: “Simply put, the DMARC standard works. In a blended approach to fighting email fraud, DMARC represents the cornerstone of technical controls that senders can implement today to rebuild trust and retake the email channel for legitimate brands and consumers.”

DMARC is no longer an option for organisations using But it’s imperative you implement it the right way to reap its benefits. The first step is to create a DMARC record. Then, follow the key implementation steps outlined in our email authentication kit.

And as always, if you have any questions during this process, don’t hesitate to reach out to Return Path’s email authentication experts.

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time