Report Finds Feds Tower Over Other Sectors In At Least One Cybersecurity Metric

The federal government—so often derided for being behind the technical curve—is magnitudes ahead of every other sector in at least one domain: email authentication and security.

Some 75 percent of the 5 billion email inboxes globally check Domain-based Message Authentication Reporting and Conformance, or DMARC, records to ensure that incoming emails are from a valid domain and not being spoofed by a potential bad actor. Among government agencies, 80 percent are using tools to publish DMARC records, putting government double-digits ahead of every area of the private sector, according to a report released Friday from email authentication vendor Valimail.

The government’s implementation rate is even more impressive when directly compared to other sectors, only two of which topped 50 percent: Fortune 500 companies and U.S. tech companies worth more than $1 billion.

Valimail researchers pointed to a 2017 binding operational directive issued by the Homeland Security Department as the main reason for such a high adoption rate.

“The U.S. federal government occupies a substantial leadership position in the effective use of email authentication—and has remained there over the past several quarters,” researchers wrote in their report. “Since the executive branch accounts for the vast majority of the 1,315 federal .gov domains, that directive known as BOD 18-01, has had a huge impact on DMARC usage in this group.”

As of the October 2018 compliance deadline, 67 percent of federal agencies had deployed DMARC tools, up from just 8 percent a year prior. The trend aligns with Homeland Security’s goal of getting “very close to 100 percent” adoption, Tom McDermott, deputy assistant secretary for cyber policy, said in October.

The report also notes the government leads in another major category: effectiveness of the DMARC policy. Valimail researcher notes that having a policy in place means little if the record isn’t configured correctly.

“To date, most companies that attempt DMARC do not complete the journey,” Valimail researchers wrote. “The enforcement effectiveness rate—the percentage of companies deploying DMARC that actually get to an enforcement policy—hovers around 20 percent for almost every category of company we have studied.”

Perhaps ironically, the government’s bureaucratic nature makes it an outlier on this metric, as well. Due to the high rate of agencies checking the box to comply with the Homeland Security directive, the public sector maintains an 87 percent effective rate, topping the list.

The next sector, large U.S. tech companies, is 50 points behind, at 37 percent.

Editor's Note: This story has been updated to clarify a data point concerning worldwide use of DMARC tools.