Agencies Still Lag on Email Security One Month Past Deadline

Federal agencies are still lagging at adopting an anti-spoofing email security tool nearly one month after a deadline to do so, according to data from an email security firm.

Just about 62 percent of federal email domains had installed the tool called DMARC as of last week, compared with about 55 percent when a deadline to adopt the tool passed in January, according to data from the company ValiMail.

Additionally, only 52 percent of agency domains had correctly configured DMARC to reliably protect against spoofing, according to the ValiMail data.

Figures from the Homeland Security Department, which issued the DMARC mandate, put governmentwide adoption at “above two-thirds,” according to a spokesman.

That divergence is likely due to small differences in how many domains were searched. Independent assessments of federal DMARC compliance have typically also varied a few percentage points.

DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, essentially pings a sender’s email domain—irs.gov, for example—and asks if the sender—say, wesley.snipes@irs.gov—is legitimate. If the domain says the sender is illegitimate, DMARC can send the email to the recipient’s spam folder or decline to deliver it entirely.

At the Homeland Security Department itself, just 15 percent of email domains were compliant last week. That’s the same percentage that was compliant after last month’s deadline.

That figure represents the percentage of email domains that are compliant rather than the percentage of email accounts, so in a large, sprawling agency like Homeland Security, that could mean larger and better-resourced agencies and offices are largely compliant, but smaller ones are lagging.

At the Defense Department, for example, only two of 38 email domains were DMARC compliant as of last week, according to ValiMail data.

A Homeland Security spokesman did not directly respond to a question about the lag in the department’s own DMARC adoption, saying only that “DHS relies on the scanning of its National Cybersecurity Assessments and Technical Services team for tracking and verifying progress.”

Governmentwide DMARC adoption has grown significantly from about 12 percent of federal domains when the department first issued the binding operational directive in October, the spokesman noted, and 92 percent of agencies have implementation plans in place.

“DHS continues to work with … agencies to resolve identified challenges impacting the implementation timeliness and [to] address concerns related to vendor constraints, acquisition lifecycles, and potential impacts to mission-critical systems,” the spokesman said.

DMARC must be installed on both email services to work. If it is, the tool will both prevent federal employees from opening phishing emails from spoofed accounts and prevent hackers from spoofing federal domains to trick people into opening malicious emails.

More than 80 percent of commercial email inboxes are protected by DMARC because it’s standard among major providers including Google, Yahoo and Microsoft.

Prior to the DMARC order, about one in eight emails that appeared to be sent from a federal government address was actually fraudulent, according to research from the cybersecurity firm Proofpoint.

ValiMail’s business focuses on helping companies implement DMARC. The ValiMail study is based on public domain name system records of government domains.

The October Homeland Security directive also required agencies to implement a separate email protection tool called STARTTLS, which is a form of TLS, or Transport Layer Security, and to secure their websites using the HTTPS web encryption system.

The HTTPS deadline is coming up this week.