Domain-based Message Authentication, Reporting & Conformance (DMARC) is one of the simplest and easiest ways to prevent email spoofing[1], which is used by those conducting phishing campaigns or business email compromise scams, by verifying whether an incoming email is actually from the server it purports to be.
As of the end of 2018, only 5.5% of Australian government domains[2] implemented DMARC, but that is set to change.
Thanks to Labor Senators asking seemingly every Australian government agency on the state of DMARC implementations, it is possible to have some idea how much progress has been made.
Of the responses made so far, the most important would be that of the Department of Parliamentary Services (DPS), which provides IT services to a number of other agencies.
On whether DMARC was "fully implemented", DPS said it wasn't complete yet, but it had money for the job.
"Implementation of DMARC is funded as part of DPS' capital budget for 2020-21," the department said.
Other agencies were more forthcoming, with ASC, formerly known as the Australian Submarine Corporation, stating that it had reached a stage where it honours the DMARC records of others, but had yet to publish its own DMARC DNS record.
Similarly, the Office of the Official Secretary to the Governor-General said its domains were in notification mode thanks to a recent Australian Cyber Security Centre (ACSC) assessment, and the actual implementation was by the "Office's whole–of-government secure internet gateway provider".
"The Office acts on advice from ACSC as part of its participation in their Cyber Uplift for Federal Government Systems program. ACSC have recommended that this is an effective mitigation against the threat of phishing emails," it said.
Another set of