Valimail, the world’s only FedRAMP-authorized provider of DMARC email authentication, released findings today showing that 50 percent of federal government domains will meet the October 16 deadline to comply with a Department of Homeland Security directive requiring protection against impersonation emails.
The Valimail report, “How Federal Agencies are Meeting the Email Authentication Challenge,” found that 655 of 1,315 federal .gov domains, or 50 percent, are in compliance with Binding Operational Directive (BOD) 18-01. This directive requires executive branch agencies to deploy the Domain-based Message Authentication, Reporting and Conformance (DMARC) authentication standard and set it to a policy that rejects fake emails by Oct. 16, 2018. It represents a significant increase from a year ago, when just 4 percent of agencies had DMARC policies that rejected fake email.
The report indicates that almost all agencies have taken the email security directive seriously, with 75 percent (981 total) of all federal government domains deploying a DMARC record — up from 18.5 percent a year ago. But many still need to achieve full compliance with BOD 18-01 by configuring their DMARC record to enforcement status. And 25 percent of federal agency domains have not yet adopted DMARC in any form.
Email authentication standards critical to protect against phishing and fraud
By deploying email authentication through DMARC and other standards and by configuring DMARC to a policy of enforcement — which directs receiving mail servers to reject or quarantine unauthorized messages — organizations can substantially improve their cybersecurity defense posture, protect themselves against phishing, and shut down email-based impersonation and fraud.
“Most federal agencies have responded admirably to the DHS directive from one year ago, issued in response to the historic explosion of phishing attacks and email impersonation exploits. At that time, the U.S. government was particularly vulnerable, so BOD 18-01 has had an incredibly positive effect on the safety and security of the U.S. government,” said Alexander García-Tobar, CEO and co-founder of Valimail. “But agencies still have work to do in order to achieve full compliance and protection from fake email.”
Other key findings in the report show that:
- 63 percent of the domains that are now in compliance with this month’s BOD 18-01 deadline are not used for email.
- 92 percent of military domains still lack DMARC records of any kind, and none are protected by DMARC at enforcement. However, military domains (which include defense.gov) are not covered by the DHS directive, which exempts national security systems, the intelligence community, and the Department of Defense.
- The 42 agencies with four or more domains have, on average, 54 percent of their domains in compliance with BOD 18-01.
Federal agencies are far ahead of the private sector when it comes to email fraud prevention. Earlier this year, Valimail revealed that 93 percent of Fortune 500 companies are unable to prevent “spoofing” of their own email domains and remain susceptible to impersonation attacks.
The earlier Valimail Q2 2018 Email Fraud Landscape report, issued in August 2018, showed that fake email is a serious problem, with an estimated 6.4 billion fake emails sent every day. Fake email is the direct result of the lack of a built-in authentication mechanism in basic email systems, enabling malicious hackers to easily spoof email domains. The DMARC standard was developed to extend the functionality and effectiveness of two earlier standards — SPF and DKIM — to thwart hackers and make email safe.