DMARC in Canada: The government’s email security guidance

SPF, DKIM, & DMARC in Canada

Before diving into the Government of Canada’s specific guidelines, let’s look into these key email security protocols:

• DMARC: Increases the chance that only authorized senders use a domain for email communication and allows domain owners to specify how unauthenticated emails should be handled.
• SPF: Prevents email spoofing by verifying that emails sent from a domain are from authorized IP addresses.
• DKIM: Uses cryptographic signatures to validate the authenticity and integrity of email messages.

Canada’s email security requirements

The Government of Canada’s email security policy outlines the following requirements for federal departments and agencies to improve email authentication and reduce the risk of criminal activities:

Email domain protection

DMARC policy

• Organizations are required to implement a DMARC policy of p=none for inbound and outbound emails.
• Departments must advance to p=quarantine or p=reject for enhanced protection.
• DMARC reports should be sent to at least one assigned address to monitor email activities.

DMARC reporting

• The Canadian Centre for Cyber Security (CCCS) must be included as an aggregate report recipient.
• Reports should be sent to dmarc@cyber.gc.ca for centralized monitoring of DMARC in Canada.

SPF

• SPF records need to be configured to authorize all legitimate IP addresses that send emails on behalf of a government domain.

DKIM

• DKIM signatures must be applied to all outbound messages to verify their authenticity.

Email visibility & configuration management

• Government email tenants must be visible to other GC tenants through a shared global address list.
• Shared Services Canada (SSC) and the CCCS must have administrative access for verification, reporting, and cyber defense purposes.

Understanding email security requirements

The Government of Canada’s strict email security policies are made to:

• Prevent email spoofing: Reducing the risk of cybercriminals impersonating government agencies.
• Ensure accountability: Maintaining government records of decisions, actions, agreements, and transactions.
• Protect sensitive data: Securing government email systems from unauthorized access.
• Enhance cyber resilience: Strengthening the national cybersecurity framework against evolving threats.

The future of DMARC in Canada

By implementing SPF, DKIM, and DMARC in Canada, the government sets a high standard for email security, enhancing its communications’ trust and defense. For organizations looking to improve their defenses, adopting these authentication measures is a critical step toward reducing cyberthreats.

Learn more about Canada’s email requirements on their official website, or explore how simple adopting DMARC can be.