All Dutch governments must implement a strict policy for DMARC and SPF by the end of 2019

Recently, a new target image agreement, made by the Standardization Forum in the Netherlands, has been approved! All Dutch governments must implement a strict policy for DMARC and SPF by the end of 2019. On 18 April 2018, OBDO agreed with this new target agreement on the advice of Standardization Forum.

The new appointment follows on a previously successful government-wide agreement and contains several goals that digital authorities in the Netherlands must meet to improve the security of the communication channel. The goals also protect the email channel of the government. An important part of these goals is the rollout of DMARC on all government domains before the end of 2019. Governments are called upon to work towards a DMARC reject policy type where a policy type result of quarantine also still satisfies.

In addition to the application of DMARC, other techniques such as HTTPS + HSTS and STARTTLS + DANE are also recommended. A combination of these techniques adds an extra layer of security to all digital communication. The open standards are also on the ‘comply or explain’ list (pas toe of leg uit-list in Dutch) that obliges governments to opt for these standards when purchasing new ICT systems. Forum Standardization continues to measure how far governments are with the implementation of the measures and will report this to the OBDO.

Domain Message Authentication Reporting & Conformance (DMARC) is an e-mail validation system that must combat spam and phishing emails. By using DMARC, a domain owner can publish a DMARC record, after which they gain insight and control in who sends e-mail on behalf of their name. With DMARC, organizations can prevent others from sending emails on behalf of the e-mail domain of the organization.

The previous target agreement that expired at the end of 2017 has already led to a major increase in the application of online security methods. However, it was necessary to make a new appointment that meets current standards with an important focus on DMARC.

The National Cyber ​​Security Center (NCSC) has been advising to use email authentication with the help of SPF, DKIM and DMARC to prevent phishing on behalf of your domain names.

Overview of target image agreements information security standards:
• By the end of 2017: DNSSEC, TLS and DMARC + DKIM + SPF
• By the end of 2018: HTTPS + HSTS in accordance with NCSC guidelines
• By the end of 2019: STARTTLS + DANE and strict settings for DMARC (p = reject or quarantine) and SPF (~ all or -all)

DMARC Analyzer helps governments with the implementation of DMARC and can also provide advice on the other requirements.