DMARC Compliance Lacking in 28 Percent of .Gov Agencies

As phishing ploys continue to take their toll on businesses, federal agencies have yet to fully protect themselves against such attacks with basic defenses like DMARC. With only months to go before the federal Binding Operational Directive (BOD 18-01) deadline of October 2018, which mandates DMARC usage in federal systems, 28 percent of agencies have still not introduced the safeguards.

“[BOD] is an important step set by the Department of Homeland Security to restore trust to internet-delivered data from federal agencies,” wrote Proofpoint researchers in a study of federal agency adoption of DMARC (Domain-based Message Authentication, Reporting and Conformance) released earlier this month.

DMARC is an email security technology that wards off email spoofing, which is central to most phishing attacks. The premise behind DMARC is that it checks emails against both the Domain Keys Identified Mail and Sender Policy Framework validation systems. If a message satisfies these checks it is sent through to the recipient, otherwise it’s quarantined or blocked.

According to a Proofpoint November 2017 study, one out of every eight .Gov emails was fraudulent. “Clearly security measures to stop email fraud are needed and the DHS directive is a step in the right direction,” Proofpoint reported.

“Of the total domains included in the directive, 36 percent have already achieved the 1-year compliance standard of publishing a valid SPF record and a valid DMARC record with a ‘reject’ policy, a further 22 percent have satisfied the January 2018 standard of publishing a DMARC with a ‘monitor’ policy but have more work to do, while 42 percent are not even compliant with the January milestone, due to SPF and/or DMARC gaps,” according to the Proofpoint report.

In 2016, Google adopted the DMARC protocol for its web-based email. The move followed similar initiatives from Yahoo and AOL; Yahoo moved its mail services to DMARC in November 2015. Also in 2016, the United Kingdom implemented government-wide use of DMARC.

“BOD 18-01 is an important step set by the Department of Homeland Security to restore trust to internet-delivered data from federal agencies. But, implementing DMARC is a significant project and can be especially challenging to try to accomplish compliance within aggressive deadlines,” Proofpoint said.