Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

DMARC Not Implemented by Most Federal Agencies: Report

The U.S. Department of Homeland Security (DHS) recently ordered all federal agencies to start using DMARC, but currently only a small percentage have fully implemented the system, according to a report from security firm Agari.

The U.S. Department of Homeland Security (DHS) recently ordered all federal agencies to start using DMARC, but currently only a small percentage have fully implemented the system, according to a report from security firm Agari.

The DHS’s Binding Operational Directive (BOD) 18-01 orders all federal agencies to implement web and email security technologies such as HTTPS, DMARC, SPF/DKIM and STARTTLS in the coming months.

DMARC, which stands for “Domain-based Message Authentication, Reporting and Conformance”, is an authentication, policy, and reporting protocol designed to detect and prevent email spoofing. Organizations using DMARC can specify what happens to unauthenticated messages: they can be monitored but still delivered to the recipient’s inbox (“none” setting), they can be moved to the spam folder (“quarantine” setting), or their delivery can be blocked completely (“reject” setting).DMARC

Federal agencies have been given 90 days to roll out DMARC with at least a “none” setting. Within one year, they will have to fully implement the protocol to ensure that malicious emails are blocked.

Agari has used its DMARC Lookup Tool to check 1,300 domains owned by federal agencies and determined that nearly 82 percent lack DMARC entirely. Roughly nine percent have fully implemented the system (i.e. quarantine or reject), while the other nine percent only monitor emails (i.e. none).

Agari monitors 400 government domains and noticed that nearly 90 percent of them were targeted with fraudulent or unauthorized emails between April and October 2017. Of the more than 336 million emails apparently sent from these domains during that timeframe, more than 85 million, representing roughly a quarter of the total, failed authentication due to being fraudulent or for some other reason.

“DMARC has proven incredibly effective at combating phishing across billions of emails daily,” said Patrick Peterson, founder and executive chairman of Agari. “This DHS directive is an important step to protect our government, businesses and citizenry from cybercrime.

We would like to recognize Agari’s customers that pioneered DMARC in the federal government including the U.S. Senate, Health and Human Services, Customs and Border Protection, U.S. Census Bureau, Veterans Affairs and the U.S. Postal Service. We hope their leadership and experience serves as a resource for best practices among their government peers who are beginning this journey,” Peterson added.

Agari also recently analyzed the use of DMARC in Fortune 500, FTSE 100 and ASX 100 companies and found that many had failed to fully implement the standard.

Advertisement. Scroll to continue reading.

Related: DMARC in Higher Education – A Formidable Defense Against Targeted Scams

Related: Email Attacks Use Fake VAT Returns to Deliver Malware

Related: Top Websites Fail to Prevent Email Spoofing

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.