Government emails now DKIM signed

September 26, 2014

Earlier today Ajay, fellow from the Linux User Group of Mauritius, posted on facebook that he noticed gov.mu emails are now DKIM signed and have SPF records in their DNS.

A few months ago the Government of Mauritius email security issues triggered a hot debate. I actually ran a live demo during an event showing how Government emails can be forged. Every now & then the topic sprouted across IT debates.

The news of gov.mu equipped with DKIM & SPF brought a smile today ( :

These are long awaited security mechanisms and a positive attitude towards encouraging a better IT infrastructure in Mauritius. When I reached home I also noticed the topic was being discussed on the MIU (Mauritius Internet Users) mailing list, where Ajay provided further details.

On my end, I triggered a « password reset » on the Government Portal to receive an email. Indeed, the header now shows that the email is DKIM signed.

Received-SPF: pass (google.com: domain of portal***@mail.gov.mu designates 202.***.**.*** as permitted sender) client-ip=202.***.**.***; Authentication-Results: mx.google.com; spf=pass (google.com: domain of portal***@mail.gov.mu designates 202.***.**.*** as permitted sender) smtp.mail=portal***@mail.gov.mu; dkim=pass header.i=@mail.gov.mu DKIM-Signature: v=1; a=rsa-sha256; d=mail.gov.mu; s=dkimmailgovmu; c=relaxed/simple; q=dns/txt; i=@mail.gov.mu; t=1411746676; x=1443282676;

I replaced some of the characters by asterisks on purpose ^^,

Now, since I still have my demo machines I fired up a session & tried forging an email like security@mail.gov.mu. Let's see how the header looks this time.

Received-SPF: fail (google.com: domain of security@mail.gov.mu does not designate 197.***.***.*** as permitted sender) client-ip=197.***.***.***; Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of security@mail.gov.mu does not designate 197.***.***.*** as permitted sender) smtp.mail=security@mail.gov.mu Received: from vbox (localhost [127.0.0.1]) by vbox (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id s8QFlb70002712

Notice it says Received-SPF: fail and spf=hardfail. It specifies that my IP address isn’t designated. Therefore such forged emails will now be thwarted by spam filters.

Implementation of DKIM and SPF is a positive step by the Government towards contributing a better IT infrastructure in Mauritius. Cheers to everyone who raised the issue at various levels ^^,