Just 5 Percent of Federal Contractors Are Fully Protecting Against Email Spoofing

Government contractors still lag far behind on implementing an email security tool that’s now mandatory for government agencies, according to industry data released Thursday.

Among the top 98 government contractors by dollar value, only 45 have properly installed the tool known as DMARC and only five have set it up to quarantine or reject spoofed or phishing emails that might contain malware, according to an analysis by the company ValiMail.

That means 93 of those companies are more vulnerable to phishing and spoofed emails, which might endanger those contractors’ federal clients—even if those agencies have installed DMARC themselves.

An earlier study by the Global Cyber Alliance in April found that 49 out of 50 top government contractors weren’t fully protected by DMARC. The Global Cyber Alliance study looked at 2016 contractor data rather than 2017 data and used a slightly different methodology.

DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, pings a sender’s email domain—irs.gov, for example—and asks if the sender—say, Nicolas.Cage@irs.gov—is legitimate. If the domain says the sender is illegitimate, DMARC can send the email to the recipient’s spam folder or decline to deliver it entirely.

DMARC must be installed on both the sending and receiving email services to work. So, if a government agency has properly implemented DMARC but a contractor hasn’t, that agency will still be vulnerable to malware-laden spoofed emails that appear to be from the contractor but are actually from someone else.

The five major contractors that had set up DMARC to quarantine or reject emails from phony domains were: UnitedHealth Group, Pfizer, FedEx, Merck and Engility.

The list of contractors that had not installed DMARC, had not installed it properly or had not set it up to actually reject or quarantine emails included heavy hitters such as Verizon, Boeing, Raytheon and Lockheed Martin.

The Homeland Security Department ordered federal agencies to install DMARC across all their domains beginning in October. About 70 percent of agencies have property installed DMARC now, but only 35 percent are quarantining or rejecting phony emails, ValiMail said in the same report.

That number reflects the percentage of government email domains with DMARC protections, not the number of government employees. It’s likely the domains slowest to adopt DMARC are at small offices with fewer employees.  

More than 80 percent of commercial email inboxes are protected by DMARC because it’s standard among major providers including Google, Yahoo and Microsoft.