Email hygiene mandate takes hold at agencies

E-mail circling the globe 

Nearly half of federal website domains have policies in place to deal with spoofed emails after an October 2017 Department of Homeland Security directive mandated the use new email and web security standards.

According to a December 2017 report by cybersecurity company Agari, approximately 47 percent of the 1,106 federal domains have adopted policies for Domain-based Message authentication, Reporting and Conformance (DMARC), which allows for improved detection and management of spoofed emails. That figure is up from 34 percent in November 2017.

DMARC is designed to alert email senders of attempts to spoof or impersonate a web domain and to block spoofed emails from recipients before they are delivered. The protocol works in conjunction with a digital watermark supplied by the official domain owner.

"While still low, the set of government domains now has a significantly better adoption level than the commercial sector, where two-thirds (67 percent) of the domains have not published any DMARC policy," wrote the report's authors.

Agari provides DMARC-related services to the private and public sector, including many federal agencies.

Last year, DHS issued binding operational directive 18-01, instituting a series of deadlines for federal agencies to implement new email and website security standards. By Jan. 15, 90 days after the order was issued, agencies are expected to have configured all second-level domains with DMARC records and set those policies to "monitor," meaning they will take no action on suspicious emails that do not have a valid Sender Policy Framework or DomainKeys Identified Mail signal.

That means that a large majority of domains (84 percent by Agari's count) are still technically vulnerable to being spoofed, as the directive doesn't require agencies to start automatically rejecting these emails until October 2018. However, the company has characterized the DHS timelines as "aggressive" and noted that DMARC protection is designed to be deployed in phases.

The advanced stages of DMARC installation can be challenging, noted John Wilson, field chief technology officer for Agari in a blog published in November 2017. "Agencies often roll this out in phases to avoid negatively affecting email deliverability."

The report noted that 23 agencies have achieved 100 percent DMARC adoption, including the Departments of Veterans Affairs, Health and Human Services and Education.

While speaking to the National Institute of Standards and Technology's Information Security and Privacy Advisory Board on Oct. 27, Michael Duffy, branch chief for DHS' cybersecurity and communications office, laid out some of the department's reasoning behind issuing BOD 18-01.

"What we did with 18-01 was say there is a baseline of security across the federal dot-gov [domain] that really needs to be elevated, [particularly] email authentication," he said.

Duffy said the department was not only worried about the ramifications of bad cyber hygiene from federal users but also maintaining the trust of American citizens "who are also interacting with our systems day to day."

"We want them to be confident in the information and that the information is being protected accurately," he said.

The directive also requires agencies to configure all internet-facing mail servers to use more secure connections using STARTTLS by Jan. 15, ensure all federal websites use secure HTTPS connections and disable older, less secure connections by Feb. 13.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.