Research released just three days after the federal government said it would compel agencies to adopt the Domain-based Message Authentication, Reporting & Conformance (DMARC) shows the criticality of implementing the standard—nearly 82 percent of agency domains lack DMARC while 25 percent of email that purports to be from agencies is fraudulent or at least unauthenticated.
Of the 18 percent of agencies that do have DMARC in play, half are maximizing the benefits of the standard by quarantining or rejecting unauthenticated email to prevent domain name spoofing, results of the Agari U.S. Federal Government DMARC Adoption report revealed. The other half are only using DMARC to monitor unauthenticated missives but are not blocking them.
Under a binding order issued by the Department of Homeland Security (DHS), agencies would have to comply with DMARC plan within 30 days and https within 120 days, Jeanette Manfra, DHS assistant secretary for cybersecurity and communications, told members of the press during a meeting in New York District Attorney Cy Vance, Jr.'s office orchestrated by the Global Cyber Alliance (GCA).
“This directive is our way of showing that the federal government is a participant in the Internet, and we take our responsibility seriously,” said Manfra, calling the tenets of the order "discrete steps that have scalable, broad impact." For those who find cybersecurity overwhelming, DMARC is an easy way to improve it.
Noting that DMARC has been “incredibly effective at combating phishing across billions of emails daily,” Patrick Peterson, founder and executive chairman of Agari, said in a release that the “DHS directive is an important step to protect our government, businesses and citizenry from cybercrime.”
Peterson applauded Agari customers, including the U.S. Senate, Health and Human Services, Customs and Border Protection, U.S. Census Bureau, Veterans Affairs and the U.S. Postal Service, for pioneering DMARC adoption in government. “We hope their leadership and experience serves as a resource for best practices among their government peers who are beginning this journey,” said Peterson.
Federal agencies have increasingly seen their domains become the target of fraudsters. Agari found that of the 400 government domains it monitors, fraudulent or unauthorized emails were aimed at 90 percent of them between April and October of 2017. Just over a quarter, 25.4 percent, of the 336.4 million emails that looked to be sent from those domains were fraudulent or unauthenticated, the company stressed.