US Gov't Outpacing Enterprises in Adopting DMARC Email Security Policy

Ahead of the Oct. 16 deadline, 81 percent of U.S. government agencies are now implementing the DMARC email security specifications.

email security

Eighty-one percent of U.S. government agency domains have now enabled the DMARC email security standard, according to a new report released on July 26 by email security firm Agari.

Domain-based Message Authentication, Reporting and Conformance, or DMARC, includes several technical components that are intended to help protect the integrity and authenticity of email. U.S. government agencies were mandated by the Department of Homeland Security (DHS) to implement DMARC as part of the 18-01 binding operational directive that was announced in October 2017.

"The 81 percent result is fantastic and has blown away our expectations," Patrick Peterson, founder and executive chairman of Agari, told eWEEK.

Agari has been tracking the adoption of DMARC by government agencies over the past year. In November 2017, Agari found that DMARC adoption within the U.S. government was at 34 percent of federal agencies. That number grew to 47 percent by December.

DMARC was designed to be deployed in stages, according to Peterson. The first stage, p=none, enables organizations to monitor their email ecosystem, identify authorized third-party senders and tune their DMARC policy before moving to "p=quarantine," which sends messages to the spam folder, and ultimately to "p=reject," which blocks messages completely.

"DMARC p=none is trivial to implement. You could do it in five minutes," Peterson said. "The challenge is to move from 'none' to 'reject' because all unauthenticated email will be rejected by the recipient with a 'reject' policy."

The DHS directive has set Oct. 16 as the deadline for all agencies to not only support DMARC but to enforce a reject policy as well. Agari found that 52 percent of government agencies now support the DMARC reject requirement. Most enterprises have dozens of third-party and cloud services that send email on their behalf, and with DMARC each one of these has to have its email authenticated, Peterson said. He noted that while Agari has helped hundreds of thousands of domains do this successfully, it does require a project and technology change. 

"This is extraordinary adoption when compared to the private sector, where only about one-third of the Fortune 500 have a DMARC policy and only 5 percent have moved to reject," Peterson said. "It's great to see the government leapfrogging industry for a change."

Moving to the reject policy from the none DMARC policy is a key challenge, though Peterson noted that in January only 15 percent of executive branch domains were at reject, so there has been incredible traction in moving from none to reject. 

"The lesson that enterprises should learn is to just deploy DMARC at p=none and to take their time moving to reject," he said.

It's not clear if full DMARC implementation will be achieved by all government agencies by the deadline. However, overall, government efforts have had a concrete impact on email security, Petersen said.

"One hundred percent adoption of DMARC by the deadline seems unlikely, but that does not mean that agencies will not be in compliance since BOD 18-01 provides an alternative path—agencies can provide DHS with a written plan for their DMARC implementation," he said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.