Introduction

The public sector needs DMARC (Domain-based Message Authentication, Reporting & Conformance) to be NIS2 compliant for several reasons. The NIS2 directive emphasises enhanced cybersecurity standards to protect critical infrastructure, and DMARC plays a crucial role in ensuring the security of email communications - a core part of the digital infrastructure.

So, how does DMARC protect email communications and why is this so important for NIS2 compliance?

Email Fraud and Phishing Prevention:

DMARC helps prevent email fraud such as phishing by verifying that incoming emails are from legitimate senders. This is crucial to protect against attacks that could lead to data breaches, which is a key aspect of NIS2.

Ensure Integrity and Trust:

Public organisations often handle sensitive information and communicate with citizens and other authorities. DMARC helps to protect these communication channels, ensuring the integrity and trust of digital communications.

Reduce the Risks of Supply Chain Attacks:

The public sector is part of a larger supply chain and can be affected by the vulnerabilities of third-party vendors. By implementing DMARC, public authorities can reduce the risk of their domains being used in attacks against other entities in the supply chain.

Improved Security Incident Management:

DMARC allows for detailed reports on email traffic and failed authentications, which can help security teams quickly identify and respond to suspicious activities. This improves incident management, a key requirement under NIS2.

Compliance and Reporting:

The NIS2 Directive requires organisations to report significant security incidents. By using DMARC, public organisations can collect and analyse data on email security incidents, helping to meet reporting requirements.

Increased Transparency and Controls:

DMARC provides transparency into how email from your domain is being used and abused. This transparency is important for understanding and controlling the threat landscape, which is a key part of building a strong cybersecurity strategy in line with NIS2.

DMARC implementation in the Swedish Public Sector

Despite that DMARC is an important part of NIS2 compliance, when it comes to the Swedish Public sector, DMARC implementation is quite low. Only 25% of government authorities, 14% of municipalities and 19% of regions have implemented a DMARC policy. For those that have not implemented DMARC, it’s time to get started.

To implement DMARC successfully, follow these steps:

  1. Analyse and Prepare: Start by understanding the email infrastructure and identify all domains used to send email.

  2. Implement SPF and DKIM: DMARC is based on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). Implement these protocols first to ensure that sender domains can be properly authenticated.

  3. Implement DMARC with Reporting: Start with a "none" policy for DMARC to collect reporting data without affecting email delivery. Analyse the reports to identify legitimate and illegitimate email sources.

  4. Gradually tighten the policy: Once the organisation has sufficient insight into the email traffic, start tightening the DMARC policy from "none" to "quarantine" and finally to "reject" to block unauthenticated emails.

  5. Continuous Monitoring and Adjustment: Proper implementation of DMARC is not a once a done kind of thing. It requires constant monitoring and adjustment to accommodate new contacts and senders, as well as block new and evolving threats.

Do you know if DMARC is activated for your organization?

Take the first step towards NIS2 compliance and test whether DMARC is enabled for your email domain: