Government Leads Industry in Anti-Spoofing Email Protection, Report Finds

The federal government is leading major industries in setting up anti-spoofing email security features, according to an industry report released Wednesday.

More than 70 percent of federal government email domains are protected by the tool known as Domain-based Message Authentication, Reporting and Conformance, or DMARC, according to the report from the company ValiMail.

That’s compared with just about 40 percent of the highest value U.S. tech companies, highest value U.S. banks and companies in the Fortune 500, according to the report.

The federal agency adoption rate has surged from under 20 percent in October, when the Homeland Security Department first ordered agencies to adopt DMARC.

The government rate of misconfigured or incompletely configured DMARC protections is also far lower, at about 40 percent, than the average for most industry sectors, which is about 80 percent.

Contractors are far less likely than federal agencies to have DMARC properly installed, which could leave agencies vulnerable, according to studies by Valimail and the Global Cyber Alliance have found.

DMARC works by pinging a sender’s email domain—irs.gov, for example—and asks if the sender is legitimate. If the domain says the sender is illegitimate, DMARC can send the email to the recipient’s spam folder or decline to deliver it entirely.

DMARC must be installed on both the sending and receiving email services to work. So, if a government agency has properly implemented DMARC but a contractor or other industry partner hasn’t, that agency will still be vulnerable to malware-laden spoofed emails that appear to be from the company but are actually from someone else.

More than 80 percent of commercial email inboxes are protected by DMARC because it’s standard among major providers including Google, Yahoo and Microsoft.