U.S. Gov Agencies Fail to Fully Embrace DMARC Email Security Policy

Today’s the last day for a third of US government’s executive branch departments to comply to a directive that seeks the adoption and improvement of email validation policies that would lower the risk of spam and impersonation.

Last year, the US Department of Homeland Security (DHS) gave federal, executive branch, departments and agencies until October 16 to adopt the Domain-based Message Authentication, Reporting and Conformance (DMARC) system with the strictest setting, to combat phishing and spam emails.

Domain administrators can use DMARC to protect users at the receiving end of a forged email by enabling policies that throw it into the Junk folder (’p=quarantine’), or reject it completely (’p=reject’). Enabling ‘p=none’ policy allows the spoofed email through, but alerts the admin of the impersonated domain.

DMARC adoption was fast, but not complete

Email security company Agari tracked the progress of DMARC adoption and its latest report shows that DMARC is present for 85% of the domains targeted by the DHS, but only 74% of them have the ‘p=reject’ policy.

Agari says that this is “the fastest and most complete adoption of the DMARC standard for any industry in history,” leaving behind the private sector.

While this change is uplifting, 278 domains still do not comply to DHS’ directive to enable the ‘reject’ policy in DMARC. Among them are domains of the Department of Defense.

internetnewsblog has checked the domains for the Air Force, the Army, Defense Logistics Agency, the Marines, the National Security Agency and the Navy almost none of them have adopted DMARC.

The AirForce domain complies only partially because the DMARC policy is set to ‘p=none,’ which means that impersonated messages are not filtered in any way at the destination. The same issue is reported for the DoD domain.

According to the Agari report, the DoD has a total of 32 out of 35 domains without a DMARC record.

The DHS itself still has three domains with no policy configured. Last month internetnewsblog reported that the main DHS domain was also partially compliant to its own binding directive, but the issue has been fixed in the meantime.

Not the same goes for the White House, where the record continues to appear improperly configured.

As a side note, the domain for the Central Intelligence Agency (CIA), which is an independent agency, has 9 out of ten domains without a DMARC record.

The DHS requirement is compulsory and federal agencies are required to comply with its directives.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top