U.S. government making progress on DMARC implementation
The deadline for full DMARC implementation in U.S. government-owned domains is less than three months away, and only half of the domains have the correct policy in place.
Despite the October 2018 deadline, only half of U.S. government agencies have taken steps toward DMARC implementation.
The Department of Homeland Security (DHS) issued the Binding Operational Directive (BOD) 18-01 in October 2017, mandating that all federal, executive branches, departments and agencies implement specific email security and web security measures, including STARTTLS, Sender Policy Framework, DomainKeys Identified Mail, Hypertext Transfer Protocol Secure and DMARC.
"Federal agency 'cyber hygiene' greatly impacts user security," the directive said. "By implementing specific security standards that have been widely adopted in industry, federal agencies can ensure the integrity and confidentiality of internet-delivered data, minimize spam, and better protect users who might otherwise fall victim to a phishing email that appears to come from a government-owned system."
DMARC, or domain-based message authentication, reporting and conformance, is an email authentication and reporting protocol that ensures the identity of the message sender is authentic. DMARC policies can and should be set to "reject," so suspicious email messages are completely blocked. But there are also the options of "quarantine," which sends the messages to a junk or spam folder, or "none," which just monitors the email messages, rather than doing anything with them.
BOD 18-01 requires DMARC implementation in all government agencies and that they set the policy to "reject" within one year; that deadline is Oct. 16, 2018.
"Setting a DMARC policy of 'reject' provides the strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery," BOD 18-01 stated. "Additionally, DMARC reports provide a mechanism for an agency to be made aware of the source of an apparent forgery, information that they wouldn't normally receive otherwise."
Security company Agari has been tracking the progress of DMARC implementation in the U.S. government since BOD 18-01 was issued, and its latest report showed that while 81% of federal domains have implemented some level of a DMARC policy, only 52% have it set to reject unauthenticated messages at the mail server, as of July 15.
"These adoption rates suggest that the BOD mandate has been a positive initiative for the U.S. government, as more than half of all executive branch domains are now protected from malicious actors that would seek to abuse trusted government communication," Agari said in its report. It also noted that while 19% of government domains still don't have any DMARC policy in place, the adoption rate is far better than in the commercial sector, where 67% of Fortune 500 companies don't have any DMARC implementation.
The DHS had previously set a deadline of Jan. 15, 2018, for the 1,144 government-owned domains to have at least the baseline DMARC policy -- "none" -- in place, and only 18% met that.
"With less than three months until the final BOD 18-01 deadline, the U.S. Government has made tremendous strides forward in its DMARC adoption and compliance efforts," Agari said. "If the January 2018 deadline proved that deploying a "p=none" DMARC policy is simple, then the past six months have proven that it is possible to reach the final step of "p=reject" ahead of the October deadline."