Federal DMARC compliance spikes up

Royalty-free stock illustration ID: 110138069 by 3dreams 

More than six out of 10 federal domains are fully compliant with website and email security requirements laid out in a Department of Homeland Security directive released last year, while about three out of four are at least publishing reports that can provide more insight into spoofing attacks.

The numbers were released by cybersecurity firm Proofpoint the day before an Oct. 16, 2018, deadline for all federal agencies to implement the highest levels of domain-based message authentication, reporting and conformance (DMARC)  protections. They represent a marked improvement in federal cybersecurity even as the numbers show that agencies will come in well below total compliance. A January analysis by Proofpoint found that just 15 percent of federal domains were fully compliant.

"This is a significant achievement as many agencies did not have this initiative in their plans [or] budgets when the mandate was announced and DMARC implementation can be complex," Robert Holmes, vice president of email security at Proofpoint wrote in an Oct. 16 blog post.

According to Proofpoint's research, 62 percent of the 1,311 federal domains can now identify, quarantine and reject unauthorized government emails, while another 10.9 percent can identify suspicious emails but haven't set a policy to automatically reject them. About 26 percent of agency domains have not yet published DMARC records.

DMARC is one of several components of a binding operational directive issued by DHS in October 2017 that was designed to bolster baseline cybersecurity standards around federal websites and email. The tool is designed to authenticate legitimate federal communications and crack down on the use of fake or impersonated emails that look they're coming from official government accounts, something that Proofpoint claims happened in one out of every eight emails sent from .gov domains last year.

While the directive mandates full compliance from agencies by Oct. 16, DHS officials have said in the past that they lack any real means to punish those who miss the deadline and that a softer approach that shines a light on the problem has achieved substantial cybersecurity improvements across the federal government.

Some members of Congress like Sen. Ron Wyden (D-Ore.) have pushed DHS to go beyond the requirements listed in the directive and put in place plans to analyze and use the DMARC reports sent by agencies to gain additional insights into spoofing attacks.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected