Cybersecurity

Feds lead industry in DMARC adoption

Royalty-free stock illustration ID: 110138069 by 3dreams 

A report finds that the federal government is far and away the leading adopter of tools designed to snuff out email spoofing compared to other sectors and industries.

According to new research conducted by cybersecurity company VailMail, which sells online authentication tools, 80 percent of 1,300-plus U.S. federal domains now publish Domain-based Message Authentication, Reporting and Conformance records, considered a crucial first step in identifying false or impersonated email addresses.

Of the domains that have adopted some form of DMARC protection, 87 percent have been configured to the highest forms of protection -- automatically quarantining or rejecting suspicious emails before they arrive in employees' inbox.

Those figures represent substantially higher rates of adoption than any other industry or sector, with Fortune 500 and tech companies the only other groups to break 50 percent.

The company credits the lion's share of the federal government's improvement to a Binding Operation Directive from the Department of Homeland Security in 2017 that gave agencies one year to implement a series of email and website cybersecurity tools, requiring 100 percent compliance by the end of October 2018.

"Since the executive branch accounts for the vast majority of the 1,315 federal .gov domains, [the directive] has had a huge impact on DMARC usage in this group," the report states.

Email spoofing simplifies phishing and other e-mail based attacks or frauds.

DMARC adoption is accelerating. A November 2017 report found that just 34 percent of federal domains had adopted DMARC in some form. DHS officials have said in the past that directive has substantially improved baseline cybersecurity protections at federal agencies.

The company said it pored through billions of email message authentication requests along with 17 million public DMARC and SPF records to arrive at the report's conclusions. The percentage of domains that have actually implemented enforcement policies -- quarantining and rejecting spoofed emails -- is particularly noteworthy, as the company says that "most companies that attempt DMARC do not complete the journey."

"The enforcement effectiveness rate -- the percentage of companies deploying DMARC that actually get to an enforcement policy -- hovers around 20 percent for almost every category of company we have studied," the report said.

Shortly before the October 2018 deadline, DHS told FCW that its internal numbers showed that 71 of the 99 agencies being tracked had at least 80 percent of their domains sending DMARC reports and 56 percent had achieved 100 percent compliance. DHS did not respond to a request for updated figures.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.