More than one-fourth of agencies have installed DMARC protection ahead of a DHS deadline.
The percentage of federal agencies using an anti-spoofing email security tool has spiked since the Homeland Security Department directed agencies to implement the protection in October, according to an independent analysis.
About 12 percent of federal agencies, ranging from the largest to the ultra-small, were using some level of the tool called DMARC prior to Homeland Security’s Oct. 16 binding operational directive, according to the analysis by the Global Cyber Alliance.
Just about 5 percent of those agencies were using the highest level of protection, which rejects emails from senders that fail a verification test, the alliance said.
As of Nov. 6, 26 percent of those agencies were using some level of DMARC protection and nearly 10 percent were rejecting unverified emails un-delivered.
The survey covered 1,315 agencies meaning it included many very small federal domains.
The Homeland Security directive gave agencies three months to implement DMARC.
DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, essentially pings a sender’s email domain—irs.gov, for example—and asks if the sender is legitimate. If the domain says the sender’s illegitimate, DMARC can send the email to the recipient’s spam folder or decline to deliver it entirely.
DMARC must be installed on both email services to work. If it is, the tool will both prevent federal employees from opening phishing emails from spoofed accounts and prevent digital miscreants from spoofing federal domains to trick people into opening malicious emails.
About one in eight emails sent from a federal government address is actually fraudulent, according to research released Friday by the cybersecurity firm Proofpoint.
About 85 percent of consumer email inboxes use DMARC, including Google’s Gmail, Microsoft’s Outlook and Yahoo Mail.
The Global Cyber Alliance is an internet security membership organization originally launched by the New York District Attorney’s Office, the London police department and the Center for Internet Security.