Feds lead industry in DMARC adoption

A report finds that the federal government is far and away the leading adopter of tools designed to snuff out email spoofing compared to other sectors and industries.

According to new research conducted by cybersecurity company VailMail, which sells online authentication tools, 80 percent of 1,300-plus U.S. federal domains now publish Domain-based Message Authentication, Reporting and Conformance records, considered a crucial first step in identifying false or impersonated email addresses.

Of the domains that have adopted some form of DMARC protection, 87 percent have been configured to the highest forms of protection -- automatically quarantining or rejecting suspicious emails before they arrive in employees' inbox.

Those figures represent substantially higher rates of adoption than any other industry or sector, with Fortune 500 and tech companies the only other groups to break 50 percent.

The company credits the lion's share of the federal government's improvement to a Binding Operation Directive from the Department of Homeland Security in 2017 that gave agencies one year to implement a series of email and website cybersecurity tools, requiring 100 percent compliance by the end of October 2018.

"Since the executive branch accounts for the vast majority of the 1,315 federal .gov domains, [the directive] has had a huge impact on DMARC usage in this group," the report states.

Email spoofing simplifies phishing and other e-mail based attacks or frauds.

DMARC adoption is accelerating. A November 2017 report found that just 34 percent of federal domains had adopted DMARC in some form. DHS officials have said in the past that directive has substantially improved baseline cybersecurity protections at federal agencies.

The company said it pored through billions of email message authentication requests along with 17 million public DMARC and SPF records to arrive at the report's conclusions. The percentage of domains that have actually implemented enforcement policies -- quarantining and rejecting spoofed emails -- is particularly noteworthy, as the company says that "most companies that attempt DMARC do not complete the journey."

"The enforcement effectiveness rate -- the percentage of companies deploying DMARC that actually get to an enforcement policy -- hovers around 20 percent for almost every category of company we have studied," the report said.

Shortly before the October 2018 deadline, DHS told FCW that its internal numbers showed that 71 of the 99 agencies being tracked had at least 80 percent of their domains sending DMARC reports and 56 percent had achieved 100 percent compliance. DHS did not respond to a request for updated figures.