Research from Proofpoint has shown that half of Australian Government bodies are falling behind on implementing some basic email cybersecurity measures.
The lack is leaving the public, government employees and other stakeholders open to a higher risk of falling prey to email fraud.
The new findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of 155 primary bodies within the Australian Government.
These include Defence, Home Affairs, Foreign Affairs and Trade, Education, Employee and Workplace Relations, Social Services, Climate Change, Energy, the Environment and Water, Treasury, and Finance.
DMARC is an email protocol designed to protect domain names from being misused by cyber criminals by authenticating sender’s identities before allowing a message to reach its destination.
It comes with three levels of protection — monitor, quarantine and reject — with reject having the highest level of security for stopping suspicious emails before they reach inboxes.
The Proofpoint research shows that, while 99% of the bodies surveyed use some form of DMARC protection, only half use the strongest ‘reject’ policy.
The full findings show that:
- 50% of Australian Government entities have implemented the highest DMARC protection level: Reject.
- 35% have a Quarantine policy, meaning suspicious emails are sent to a spam folder.
- 14% have a Monitor policy, which only tracks DMARC activity without blocking or quarantining emails.
- 1% have no DMARC record at all.
“Government entities are prime targets for cyber adversaries, so this vital gap in cybersecurity measures is surprising and alarming amidst recent large-scale breaches in Australia,” said Steve Moros, Senior Director, Advanced Technology Group, Asia Pacific and Japan at Proofpoint.
“While it’s encouraging to see half of Australian Government bodies employing the highest level of DMARC protection, it is concerning to see 50% are still failing to strengthen their defences against email-based threats,” he added.
ASIO’s 2025 Annual Threat Assessment indicates that Australian infrastructure continues to be targeted, and presents a larger threat than physical damage to infrastructure.
Proofpoint says that email remains a primary avenue for cyberattacks. DMARC authentication detects and prevents email spoofing techniques used in phishing, business email compromise, and other email-based attacks.
Moros says DMARC stands as the only widely deployed technology that makes the sender’s ‘from address trustworthy in email communications.
“We’re seeing a decisive move in this direction across the pond, where the New Zealand government is mandating DMARC enforcement for all government domains under its Secure Government Email (SGE) Framework,” said Moros.
“Due to come into force in October, it will ensure a consistent, high level of email authentication, directly countering impersonation and phishing threats that are increasing at scale and sophistication.”
Leave a Reply