Only One-Third of Agencies Are Using Anti-Spoofing Email Tool

Just one-third of federal agencies have adopted a major anti-spoofing tool one month before a Homeland Security Department deadline, according to an industry analysis.

Only about 10 percent of agencies have properly configured that system, known as DMARC, and structured it so malicious emails that spoof the agency’s email addresses will be quarantined or rejected outright by recipients, according to the analysis provided to Nextgov by the security firm ValiMail.

At that rate, it will be another year before all federal domains are compliant with the October Homeland Security directive, far past the Jan. 15 deadline, Dylan Tweney, ValiMail head of communications, said in an email.

DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, essentially pings a sender’s email domain—irs.gov, for example—and asks if the sender—say, alphonse.capone@irs.gov—is legitimate. If the domain says the sender’s illegitimate, DMARC can send the email to the recipient’s spam folder or decline to deliver it entirely.

DMARC must be installed on both email services to work. If it is, the tool will both prevent federal employees from opening phishing emails from spoofed accounts and prevent digital miscreants from spoofing federal domains to trick people into opening malicious emails.

More than 80 percent of commercial email inboxes are protected by DMARC because it’s standard among major providers including Google, Yahoo and Microsoft. Government agencies, however, have lagged on adoption.

About one in eight emails sent from a federal government address is actually fraudulent, according to research from the cybersecurity firm Proofpoint.

ValiMail’s business focuses on helping companies implement DMARC. The study, which is consistent with earlier studies of DMARC adoption, is based on public domain name system records of 1,315 government domains.

Since the Homeland Security directive was first issued, 23 agencies per week have added DMARC records on average and nine per week have reached the most-protected level, ValiMail said.

The October Homeland Security directive also required agencies to implement a separate email protection tool called STARTTLS, which is a form of TLS, or Transport Layer Security, and to secure their websites using the HTTPS web encryption system.