email security

Feds ahead in DMARC adoption

When it comes to uncovering email spoofing, the federal government ranks higher than any other industry or sector, a new report finds.

Eighty percent of 1,300-plus U.S. federal domains now publish Domain-based Message Authentication, Reporting and Conformance records, considered a crucial first step in identifying false or impersonated email addresses, according to new research conducted by cybersecurity company VailMail, which sells online authentication tools.

Of the domains that have adopted some form of DMARC protection, 87 percent have been configured to the highest forms of protection -- automatically quarantining or rejecting suspicious emails before they arrive in employees' inbox.The company credits the lion's share of the federal government's improvement to a Binding Operation Directive from the Department of Homeland Security in 2017 that gave agencies one year to implement a series of email and website cybersecurity tools, requiring 100 percent compliance by the end of October 2018.

"Since the executive branch accounts for the vast majority of the 1,315 federal .gov domains, [the directive] has had a huge impact on DMARC usage in this group," the report states.

Email spoofing simplifies phishing and other e-mail based attacks or frauds.

DMARC adoption is accelerating. A November 2017 report found that just 34 percent of federal domains had adopted DMARC in some form. DHS officials have said in the past that directive has substantially improved baseline cybersecurity protections at federal agencies.

The company said it pored through billions of email message authentication requests along with 17 million public DMARC and SPF records to arrive at the report's conclusions. The percentage of domains that have actually implemented enforcement policies -- quarantining and rejecting spoofed emails -- is particularly noteworthy, as the company says that "most companies that attempt DMARC do not complete the journey."

"The enforcement effectiveness rate -- the percentage of companies deploying DMARC that actually get to an enforcement policy -- hovers around 20 percent for almost every category of company we have studied," the report said.

Shortly before the October 2018 deadline, DHS said that its internal numbers showed that 71 of the 99 agencies being tracked had at least 80 percent of their domains sending DMARC reports and 56 percent had achieved 100 percent compliance. DHS did not respond to a request for updated figures.

This article was first posted to FCW, a sibling site to GCN.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.