Most federal agency web domains are on track to meet a requirement that protects them from email spoofing, according to a report from email security company Agari.
The requirement in question is Domain-based Message Authentication, Reporting and Conformance (DMARC), a policy that gives network administrators more visibility and control over how their domain is being used with regard to email. Without it, malicious actors can send emails that appear to be from a trusted source, such as a .gov website, to unsuspecting victims.
The Department of Homeland Security issued a binding operational directive (BOD) in October 2017 that required all agencies to protect their domains with the highest level of DMARC within one year. With the deadline less than three months away, Agari reports that most domains are on track to meeting the requirements, and just over half have already done so.
DMARC can be implemented on three levels of increasing security. A policy of “none” allows administrators to monitor email flowing in and out of their domain. A policy of “quarantine” sends messages that fail DMARC authentication into the spam folder. “Reject,” the strongest policy, does not allow any spoofed emails to be sent whatsoever.
According to Agari, 81 percent of the 1,144 agencies subject to the DHS directive have implemented DMARC on some level, including the lowest one.
Of all the agency domains, including the ones that have yet to implement DMARC, 52 percent have implemented the “reject” policy. Two percent have a “quarantine” policy and 26 percent have the “none” policy.
As a caveat for the 52 percent at the top, Agari notes that 66 percent of them are defensive domains. That means these domains don’t send email in the first place.
“For this set of domains, the DMARC configuration process is often streamlined because there is no need to manage and align third party senders and perform other safeguards to prevent receivers from deleting legitimate mail that fails DMARC authentication,” the report says.
While there’s still time before the deadline to fully instate the “reject” policy, the BOD did direct agencies to at least have a “none” policy by Jan. 15, 2018. That means that the 19 percent of domains that don’t have DMARC at any level are about half a year overdue. Agari reported in January, after the first deadline, that 63 percent of agencies had deployed DMARC.
Still, Agari says that the government has outperformed the private sector. In the Fortune 500, 67 percent do not have any DMARC policy, the report says.
“The progress made by the U.S. Federal Government is encouraging. I commend DHS for their leadership on this effort and look forward to seeing the final results in October,” said Philip Reitinger, CEO of the Global Cyber Alliance, a group that monitors DMARC compliance, in a statement. “The private sector should take note of this effort and follow suit.”