45 Percent of Federal Email Domains Miss Security Deadline

Just under half of federal email domains missed a Homeland Security Department deadline this weekend to install a new anti-spoofing email security tool, according to a tally maintained by an email security firm.

Among the laggards are 85 percent of Homeland Security’s own email domains, according to ValiMail data provided to Nextgov.  

As of the Monday deadline, just under 55 percent of federal email domains had installed the tool called DMARC, according to ValiMail figures. The tool makes it much tougher for hackers to target federal employees using phony email addresses or to use phony government emails to target U.S. citizens.

A separate tally maintained by the email security firm Agari found 63 percent of domains are now DMARC compliant.

Both figures represent a substantial jump from October, when Homeland Security first mandated that agencies adopt DMARC and gave them three months to do so. At that point, only 18 percent of agencies were DMARC compliant, according to ValiMail.

DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, essentially pings a sender’s email domain—irs.gov, for example—and asks if the sender—say, martha.stewart@irs.gov—is legitimate. If the domain says the sender is illegitimate, DMARC can send the email to the recipient’s spam folder or decline to deliver it entirely.

As of Friday, a much smaller number of domains, about 11 percent, had configured DMARC to the highest level of security, which requires that phony emails are quarantined or rejected, ValiMail found.

A majority of federal agencies included in the ValiMail report had installed DMARC on either all or none of their domains. Of those 159 agencies, 52 had DMARC on 100 percent of their domains while 72 had it on no domains.

Among 741 domains controlled by the 24 most significant agencies, 418 domains, or 56 percent, were DMARC compliant, according to ValiMail figures.

Only five of those 24 major agencies reached 100 percent DMARC compliance across all email domains: The Veterans Affairs Department, NASA, the National Science Foundation, the Nuclear Regulatory Commission and the Social Security Administration.

Those agencies, though large, manage a comparatively small number of email domains.

Many large agencies, such as the Homeland Security and Commerce departments, include dozens of smaller agencies and offices each with their own email domains, making it much more difficult to achieve 100 percent compliance.

Only five of 33 Homeland Security domains that ValiMail scanned were DMARC compliant. That equates to just 15 percent. At the Defense Department, only two out of 38 domains, or 5 percent, were compliant.

At the Health and Human Services Department, by contrast, 97 percent of 117 domains were compliant. The Treasury Department was 88 percent compliant and the Justice Department was 61 percent compliant, according to ValiMail data.

DMARC must be installed on both email services to work. If it is, the tool will both prevent federal employees from opening phishing emails from spoofed accounts and prevent digital miscreants from spoofing federal domains to trick people into opening malicious emails.

More than 80 percent of commercial email inboxes are protected by DMARC because it’s standard among major providers including Google, Yahoo and Microsoft.

About one in eight emails that appear to be sent from a federal government address is actually fraudulent, according to research from the cybersecurity firm Proofpoint.

ValiMail’s business focuses on helping companies implement DMARC. The ValiMail study is based on public domain name system records of government domains.

The October Homeland Security directive also required agencies to implement a separate email protection tool called STARTTLS, which is a form of TLS, or Transport Layer Security, and to secure their websites using the HTTPS web encryption system.