DMARC Compliance Lacking in 28 Percent of .Gov Agencies

Despite a looming deadline, over a quarter of federal agencies are still not using basic email security tools. `

As phishing ploys continue to take their toll on businesses, federal agencies have yet to fully protect themselves against such attacks with basic defenses like DMARC. With only months to go before the federal Binding Operational Directive (BOD 18-01) deadline of October 2018, which mandates DMARC usage in federal systems, 28 percent of agencies have still not introduced the safeguards.

“[BOD] is an important step set by the Department of Homeland Security to restore trust to internet-delivered data from federal agencies,” wrote Proofpoint researchers in a study of federal agency adoption of DMARC (Domain-based Message Authentication, Reporting and Conformance) released earlier this month.

As part of the¬†Federal Information Security Modernization Act of 2014, the Department of Homeland Security issued over a half dozen binding operational directives designed to boost the federal government’s security. One of those BODs was issued October 2017 and required agencies to implement Sender Policy Framework (SPF) and DMARC¬†email security by October 2018.

DMARC is an email security technology that wards off email spoofing, which is central to most phishing attacks. The premise behind DMARC is that it checks emails against both the Domain Keys Identified Mail and Sender Policy Framework validation systems. If a message satisfies these checks it is sent through to the recipient, otherwise it’s quarantined or blocked.

“A key component of DMARC requires that a message not only needs to pass DKIM or SPF (both are not required), but also: the domains used by DKIM or SPF need to match what appears in the From field displayed to the end user,” a spokesperson from the email security firm Valimail told Threatpost. “This is the key to DMARC as a fraud prevention tool: It actually ensures that what the recipient sees is trustworthy.”

According to a Proofpoint November 2017 study, one out of every eight .Gov emails was fraudulent. “Clearly security measures to stop email fraud are needed and the DHS directive is a step in the right direction,” Proofpoint reported.

“Of the total domains included in the directive, 36 percent have already achieved the 1-year compliance standard of publishing a valid SPF record and a valid DMARC record with a ‘reject’ policy, a further 22 percent have satisfied the January 2018 standard of publishing a DMARC with a ‘monitor’ policy but have more work to do, while 42 percent are not even compliant with the January milestone, due to SPF and/or DMARC gaps,” according to the Proofpoint report.

In 2016, Google adopted the DMARC protocol for its web-based email. The move followed similar initiatives from Yahoo and AOL; Yahoo moved its mail services to DMARC in November 2015. Also in 2016, the United Kingdom implemented government-wide use of DMARC.

Fraudulent emails, such as phishing attacks, continue to be nuisance. Phishing attacks are believed to be behind recent attacks such as last week’s multi-million dollar bank heist and crippling ransomware attack against COSCO.

“BOD 18-01 is an important step set by the Department of Homeland Security to restore trust to internet-delivered data from federal agencies. But, implementing DMARC is a significant project and can be especially challenging to try to accomplish compliance within aggressive deadlines,” Proofpoint said.

Suggested articles