Half of Government Domains Set to Make Email Security Deadline


It’s been one year since DHS mandated agencies adopt the anti-spoofing email security tool.

Roughly half of all government email domains are on track to meet an Oct. 16 deadline to protect against phishing and impersonation scams, according to data from the email security firm ValiMail.

That’s up from just 4 percent of domains that had implemented the tool, known as DMARC, when the Homeland Security Department first ordered agencies to do so in October 2017.

Another 25 percent of email federal domains have set up DMARC but haven’t set it to the highest protection level, according to the ValiMail report.  

DMARC stands for Domain-based Message Authentication, Reporting and Conformance, an email protocol that verifies a sender’s email domain. If the domain says the sender is illegitimate, DMARC can send the email to the recipient’s spam folder or decline to deliver it entirely.

DMARC must be installed on both email services to work. If it is, the tool will both prevent federal employees from opening phishing emails from spoofed accounts and prevent digital miscreants from spoofing federal domains to trick people into opening malicious emails.

More than 80 percent of commercial email inboxes are protected by DMARC because it’s standard among major providers including Google, Yahoo and Microsoft.

DMARC can also protect domains that are not used for email, preventing fraudsters from creating dummy email addresses using those domains. According to the ValiMail data, 63 percent of the federal domains that are now protected by DMARC are not used for email.

The company also found that more than 90 percent of military domains had no DMARC record at all. About half of those domains are included in the governmentwide figure.

The Defense Department isn’t bound by the Homeland Security Department’s DMARC directive but was ordered to install the tool wherever applicable by the most recent National Defense Authorization Act, an annual defense policy bill, passed in August.

Chief Information Officer Dana Deasy told Sen. Ron Wyden. D-Ore., in a July letter that he hoped to have DMARC up and running by the end of this year.

ValiMail’s business focuses on helping companies implement DMARC. The ValiMail study is based on public domain name system records of government domains.