Earlier today Ajay, fellow from the Linux User Group of Mauritius, posted on facebook that he noticed gov.mu emails are now DKIM signed and have SPF records in their DNS.

A few months ago the Government of Mauritius email security issues triggered a hot debate. I actually ran a live demo during an event showing how Government emails can be forged. Every now & then the topic sprouted across IT debates.

The news of gov.mu equipped with DKIM & SPF brought a smile today ( :

These are long awaited security mechanisms and a positive attitude towards encouraging a better IT infrastructure in Mauritius. When I reached home I also noticed the topic was being discussed on the MIU (Mauritius Internet Users) mailing list, where Ajay provided further details.

On my end, I triggered a « password reset » on the Government Portal to receive an email. Indeed, the header now shows that the email is DKIM signed.

Received-SPF: pass (google.com: domain of portal***@mail.gov.mu designates 202.***.**.*** as permitted sender) client-ip=202.***.**.***; Authentication-Results: mx.google.com; spf=pass (google.com: domain of portal***@mail.gov.mu designates 202.***.**.*** as permitted sender) smtp.mail=portal***@mail.gov.mu; dkim=pass header.i=@mail.gov.mu DKIM-Signature: v=1; a=rsa-sha256; d=mail.gov.mu; s=dkimmailgovmu; c=relaxed/simple; q=dns/txt; i=@mail.gov.mu; t=1411746676; x=1443282676;
I replaced some of the characters by asterisks on purpose ^^,

Now, since I still have my demo machines I fired up a session & tried forging an email like security@mail.gov.mu. Let’s see how the header looks this time.

Received-SPF: fail (google.com: domain of security@mail.gov.mu does not designate 197.***.***.*** as permitted sender) client-ip=197.***.***.***; Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of security@mail.gov.mu does not designate 197.***.***.*** as permitted sender) smtp.mail=security@mail.gov.mu Received: from vbox (localhost [127.0.0.1]) by vbox (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id s8QFlb70002712

Notice it says Received-SPF: fail and spf=hardfail. It specifies that my IP address isn’t designated. Therefore such forged emails will now be thwarted by spam filters.

Implementation of DKIM and SPF is a positive step by the Government towards contributing a better IT infrastructure in Mauritius. Cheers to everyone who raised the issue at various levels ^^,