DMARC Email Security Adoption Grows in U.S. Government

Critical protocol for helping to secure the integrity of email is being rolled out by the government. Will wider enterprise adoption follow?

email security

The U.S. government is steadily increasing its adoption of the DMARC email security protocol, according to new research from security firm Agari, published on Jan. 2.

Domain-based Message Authentication, Reporting and Conformance, or DMARC, is a protocol that helps protect the integrity and authenticity of email. DMARC makes use of the Sender Policy Framework (SPF) as well as Domain Keys Identified Email (DKIM) to help verify email authenticity. One of the goals of DMARC is to protect domains to mitigate the risks of attackers using them as a spamming address.

The government’s increased use of DMARC is part of an effort by federal agencies to comply with a Department of Homeland Security (DHS) directive. The DHS issued the 18-01 binding operational directive on Oct. 16, in a bid to enhance email and web security in U.S. federal government agencies. The directive has its first milestone deadline on Jan. 15, which requires all second-level agency domains to have valid SPF/DMARC records.

"When an email is received that doesn't pass an agency’s posted SPF/DKIM rules, DMARC … tells a recipient what the domain owner would like done with the message," the DHS BOD 18-01 states. "Setting a DMARC policy of 'reject' provides the strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery."

In addition, the DHS BOD-1801 states that DMARC reports provide a mechanism for an agency to be made aware of the source of an apparent forgery, information that they wouldn't normally receive otherwise. Agari reported that on Nov. 18, DMARC adoption within the U.S. government was at 34 percent of federal agencies. By Dec. 18, that number had jumped to 47 percent.

"It's very encouraging to see this rapid adoption among so many agencies and departments," Patrick Peterson, founder and executive chairman of Agari, told eWEEK. "Adoption has also been aided by agencies like Health and Human Services, who have been vocal in sharing their success story as a DMARC pioneer."

The increase in DMARC adoption within the federal government is a trend that the Online Trust Alliance (OTA) also noticed in research released on Nov. 9. Jeff Wilbur, director of the Online Trust Alliance, told eWEEK that the OTA reported nearly a doubling of DMARC records between May and the end of October for the top 100 federal government domains.

DMARC Adoption

DMARC can benefit all sectors, not just the government, in improving email security, though the government is currently a leader in terms of deployment. Peterson noted that government adoption of DMARC has now surpassed Fortune 500 adoption.

"Federal adoption of DMARC has reached 47 percent, while Fortune 500 adoption remains at only 33 percent," he said. 

Peterson added that only four Fortune 500 industry sectors have a higher adoption rate than government: business services (60 percent), financial services (57 percent), technology (55 percent) and transportation (53 percent). 

There are multiple challenges for organizations looking to deploy DMARC. To fully implement DMARC, organizations must first do an inventory of their domains and ensure that email authentication (SPF and DKIM) is properly implemented on those domains, according to Wilbur.  

"Fortunately, DMARC itself helps in this process via feedback reporting," he said.

Wilbur explained that organizations can implement a DMARC record with a policy of "none" and request feedback reports showing them what receivers (e.g., mailbox providers) see in terms of email and authentication coming from those domains. He added that there are several companies that can assist in this process by processing the data and providing summary reports and action plans to solidify the email authentication in preparation for moving to a DMARC policy of quarantine (i.e., put in a junk folder) or reject.

"The main challenge is ongoing attention and discipline in managing the domains and their associated email authentication, and it therefore must be made a priority if it is to be successful," Wilbur said. "Based on the DHS directive, the U.S. government appears to be raising the priority level."

In Peterson's view, the biggest challenge when it comes to DMARC adoption is one of leadership.

"IT and security teams are busy; no one is looking for an extra project," he said. "Leaders must first choose to take back their online identity in email from phishers and scammers."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.