A DHS order issued in October compelled agencies to adopt DMARC in an effort to thwart spoofing.
A DHS order issued in October compelled agencies to adopt DMARC in an effort to thwart spoofing.

With less than two weeks left until federal agencies must adopt the Domain-based Message Authentication, Reporting, and Conformance (DMARC) tool per the Binding Operational Directive (BOD) 18-01 issued by the Department of Homeland Security (DHS) in October, 47 percent of agencies have already adopted a DMARC policy and many more are expected to follow.

Research from Agari Analytics shows strong momentum for complying with the directive – adoption increased 38 percent increase between Nov. 18 and Dec. 18.

“DMARC has proven to be an effective solution to secure our federal domains, but more work is needed to protect all federal domains. The time to act is now –deadlines to comply with BOD 18-01 are imminent,” DHS Assistant Secretary for the Office of Cybersecurity and Communications Jeanette Manfra said in a release. “Cybersecurity is a critical component of our homeland security policy, but it is also a shared responsibility. It is crucial for U.S. citizens to trust that an email from a government agency is legitimate.”

In October former DHS Acting Secretary Elaine Duke released the order requiring agencies to comply with DMARC plan within 30 days and https within 120 days. Manfra told members of the press during a meeting in New York District Attorney Cy Vance, Jr.'s office orchestrated by the Global Cyber Alliance (GCA).

“This directive is our way of showing that the federal government is a participant in the Internet, and we take our responsibility seriously,” Manfra told members of the press just days before during a meeting in New York District Attorney Cy Vance, Jr.'s office orchestrated by the Global Cyber Alliance (GCA).

The order sent agencies scrambling to incorporate "discrete steps that have scalable, broad impact" that Manfra had said were not complicated and are easily adoptable.

Agari is encouraged by the numbers thusfar, noting a 24 percent uptick in domains moving to a reject policy, which is the highest level of DMARC enforcement, and 23 agencies achieving 100 percent deployment. But when federal domains that have no policy are combined with those that have a monitor-only policy, 84 percent of domains are unprotected and some agencies are in danger of missing the first deadline, which requires a “p=none” or stronger policy, the company said, unless they step up their game.