A new report from Agari suggests the decision made by the Department of Homeland Security (DHS) to make DHS adoption by federal agencies mandatory is having a positive impact. However, the deadline for compliance is fast approaching and the majority of federal agencies have still not implemented DMARC.
Prior to the DHS directive (BOD 18-01), relatively few government agencies were using DMARC to secure their domains. The DHS directive was issued on October 16, 2017, yet one month later, only 34% of federal agencies had adopted DMARC. By December 18, there had been a 38% increase in DMARC adoption by federal agencies, bring the total to 47% of government agencies. That corresponds to an additional 151 domains protected in those 30 days.
The DHS directive requires all federal agencies to adopt DMARC by January 15, 2018. 53% of agencies have yet to implement the email authentication standard, so there is still a considerable way to go before all government domains are secured. With just a few days left, there is likely to be a mad scramble to apply DMRAC before the deadline.
DMARC is a proven email security standard that not only protects domains from spoofing by cybercriminals, it protects all consumers. DMARC helps to reduce the volume of phishing emails sent spoofing government domains. Since trust in those domains is high, consumers are more likely to respond to official looking messages that appear to have been sent by government agencies.
DMARC does not necessarily block phishing emails, but it does allow CIOs to discover when their domains are being abused. The DHS directive only requires government agencies to apply DMARC at the p=none level, which means reports on the use of government domains will be generated and received by CIOs. While this provides insight into the level of phishing and domain spoofing allowing action to be taken, with a p=none policy, email recipients will still receive the messages.
According to Agari, “Almost 53% of federal agencies’ domains currently do not have a DMARC policy. For those that do, the majority still maintain a monitor-only ‘p=none’ policy that doesn’t protect their constituents. These agencies and their email recipients remain vulnerable to domain spoofing and phishing attacks.”
What is needed is a greater level of protection – setting the strongest DMARC policy of p=reject. This will stop messages from being delivered. Agari, whose technology is based on DMARC, is currently used to secure more than 400 government domains. Billions of emails are sent from those domains, with 96% protected by well ahead of the deadline with the strongest policy.
“The increase in adoption is a smashing early success. We hope that all agencies with follow Agari’s federal agency clients, including the U.S. Senate, Health and Human Services, Customs and Border Protection, U.S. Census Bureau, Veterans Affairs and the U.S. Postal Service, to comply with the directive and help eliminate phishing and spam related to domain spoofing and ensure a trusted digital channel for US citizens,” said Patrick Peterson, Founder and Executive Chairman, Agari.