The Department of Homeland Security’s (DHS) deadline for agencies to adopt Domain-based Message Authentication, Reporting, and Conformance (DMARC) and have policies set to “enforcement” levels is one week away, and new research from Valimail says only half of agencies have deployed the new standards.
Agencies are required to deploy DMARC, a standard that helps protect against email impersonation and phishing attacks and set it to a policy that rejects fake emails by Oct. 16, 2018. In a report released today, Valimail–a FedRAMP-authorized provider of DMARC email authentication–found that 655 of 1,315 Federal .gov domains are in compliance with DHS’ Binding Operational Directive (BOD) 18-01. While agencies still have a ways to go in a week, Valimail did note that the 50 percent figure is a sharp uptick from a year ago, when only 4 percent of agencies had DMARC policies that rejected fake email.
“Most Federal agencies have responded admirably to the DHS directive from one year ago, issued in response to the historic explosion of phishing attacks and email impersonation exploits,” said Alexander García-Tobar, CEO and co-founder of Valimail, in a statement. “At that time, the U.S. government was particularly vulnerable, so BOD 18-01 has had an incredibly positive effect on the safety and security of the U.S. government. But agencies still have work to do in order to achieve full compliance and protection from fake email.”
The report also found that 63 percent of domains that are in compliance with the BOD deadline are not used for email. Among the 42 larger agencies with four or more domains, roughly 54 percent of their domains are in compliance with the BOD.
While Federal agencies still much to do when it comes to DMARC, the report did note that agencies are “far ahead of the private sector when it comes to email fraud prevention.”