The feds are deploying DMARC
The US National Cybersecurity Assessments & Technical Services Team have issued a mandate on web and email security, including TLS+HSTS for web servers, and STARTTLS+SPF+DKIM+DMARC for email.
It’s … pretty decent for a brief, public requirements doc. It’s compatible with a prudent rollout of email authentication.
- Set up a centralized reporting repository for DMARC failure and aggregate reports.
- Within 90 days, turn on opportunistic TLS, deploy SPF records, deploy DKIM and set up DMARC with p=none and an email address for reporting.
- Within 120 days, disable weak TLS ciphers.
- Within one year, migrate to p=reject.
The TLS requirements are sensible, and should be easy enough to roll out – and there’s likely enough time to work with vendors when it inevitably turns out that some servers can’t comply.
Best, it allows for a period of up to nine months of sending email with DMARC in monitoring-only mode with p=none. That, combined with a centralized repository for DMARC reports means that they should have enough visibility into issues to be able to resolve them before migrating to p=reject.
It all suggests a more realistic approach to DMARC timescales and issue monitoring during rollout than many organizations have shown.
They also have one of the clearer layman introductions to email authentication I’ve seen at https://cyber.dhs.gov/intro/.
Much of the content is well worth borrowing if you’re planning your own authentication upgrades; it’s all released CC0 / public domain (and the markdown source is at github).