ADR 008: Email Authentication Protocols
Status: Accepted | Date: 2025-08-15
Context
Government email domains are prime targets for cybercriminals who exploit them for phishing attacks, business email compromise, and brand impersonation. Citizens and businesses expect government emails to be trustworthy, making email authentication critical for maintaining public confidence and preventing fraud.
Without proper email authentication, attackers can easily spoof government domains to conduct social engineering attacks, distribute malware, or harvest credentials from unsuspecting recipients.
References:
Decision
Implement email authentication standards for all government domains:
Required Standards:
- SPF: Publish records defining authorized mail servers with strict policies (“~all” or “-all”)
- DKIM: Sign all outbound email with minimum 2048-bit RSA keys, rotate annually
- DMARC: Progress from “p=none” to “p=reject” with subdomain policies and reporting
- BIMI: Implement verified brand logos with Verified Mark Certificates (VMCs)
Implementation:
- Monitor DNS records for tampering
- Regular authentication testing and effectiveness reviews
- Incident response procedures for authentication failures
- Integration with email security gateways
Consequences
Benefits:
- Automated email authentication blocking domain spoofing
- Enhanced brand protection and citizen trust
- Comprehensive threat visibility through DMARC reporting
Risks if not implemented:
- Phishing attacks exploiting government domain reputation
- Reduced email deliverability affecting citizen communications
- Non-compliance with government security requirements