On October 16, 2017, the U.S. Department of Homeland Security issued Binding Operational Directive (BOD) 18-01 that mandates the implementation of specific security standards to strengthen email and website security among government agencies.
As part of this DHS mandate, all federal agencies that operate .gov email domains must implement a DMARC “monitor” policy within 90 days and must progress to an enforcement policy of “reject” within 1 year.
Jeanette Manfra, DHS Assistant Secretary of Cybersecurity and Communications, asks federal agencies to adopt DMARC in order to protect citizens and maintain their trust.
“It’s really up to agencies and the federal government to say, ‘I care that you are going to trust emails from the federal government…’”
Email – despite its importance, ubiquity, and staying power – has never been secure. Prior attempts at security have failed to solve email’s fundamental flaw: Anyone can send email using someone else’s identity. This flaw has put the power of the world’s most admired brands and federal agencies in criminal hands. Through email, criminals can use almost any brand to send spam, phishing emails and malware installers, inflicting direct losses on customers and eroding the brand equity companies have spent years building.
Approximately 70% (by volume) of all private sector email is protected by DMARC. Unfortunately, US government have been slow to adopt this crucial email security standard. As of November 2017, only 32% of federal agency domains had published a DMARC policy to comply with the DHS mandate. This leaves government agencies and their constituents vulnerable*. Agari’s data shows that 25% of all emails sent from government domains are unauthenticated and potentially malicious. *
Despite these sobering statistics, there have been early adopters within the government sector who are paving the way and setting an example for those who follow. Early government agency adopters of DMARC include:
WHAT IS DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an open email standard published in 2012 by the industry consortium DMARC.org to protect the email channel. DMARC broadens previously established authentication standards for email and is the only way for email senders to tell email receivers that emails they are sending are truly from them.
DMARC enables agencies that send email using .gov domains to:
DMARC is designed to be deployed in stages. Companies generally start in “monitor” mode using what’s known as a “p=none” policy. This provides feedback about servers using the domain name in the “From:” header of the email messages they send. The domain owner then uses this information to make adjustments to their SPF and DKIM configurations until all of their legitimate mail sources are properly authenticated.
At this point, the policy can be tightened to “quarantine,” which sends unauthenticated messages to the recipient’s spam folder. The final configuration is “reject,” where unauthenticated messages are blocked outright.
Most organizations have been using email since the 90s, and must undo two decades of bad practice. This means a successful DMARC implementation can be a challenging proposition.
Most agencies, working to comply with the DHS mandate, don’t realize how complex their email ecosystem is until they begin getting aggregate data from DMARC reporting. Standard reporting comes in the form of individual XML files that specify domain names, IP addresses and authentication details. While many tools can parse and visualize this data, making sense of the stream and understanding what subsequent actions to take can be very difficult and error-prone. Simply put, making sense of the raw data contained in DMARC XML files requires a deep understanding of email’s technical minutiae.
It can be increasingly difficult to identify and understand third-party senders and ensure that they are authenticating properly. As cloud and software-as-a-service platforms proliferate, a greater percentage of an organization’s outbound email originates from outside their infrastructure. Regardless of origin, these are legitimate emails that need to be properly authenticated.
While a successful DMARC implementation will result in improved marketing efficiency and reduced fraud-related costs, there is also a cost of doing it wrong. Despite the emergence of new messaging platforms, email continues to be a critical vehicle for communication and digital engagement for organizations of all types. Incorrectly configuring authentication can lead to false positives, deliverability issues, and agency reputational damage. Taking the final step to a “reject” policy can be a daunting prospect if the business impact of undeliverable email is unknown or cannot be predicted.
NEXT STEPS TO MEET THE DHS MANDATE
There are a number of companies that offer some level of DMARC implementation services, and like most competitive markets, it can be difficult to divine fact from fiction when assessing their marketing claims. Many vendors will offer a free personalized audit of your email authentication processes and then map out a plan to meet all milestones to comply with BOD 18-01, all the way from “monitor” to “reject.”
The logical early adopters of DMARC were the original high-value targets of phishing: Financial Services, logistics, eCommerce, and social networking platforms. However, government agencies should be equally concerned with domain name spoofing to protect their reputation and safeguard their citizens. Today’s federal agencies are woefully unprotected against phishing attacks. The recent DHS mandate for all agencies to implement DMARC on .gov domains underscores this fact.
Of the early Federal DMARC pioneers, Agari is the leading vendor providing DMARC implementation solutions to the federal government. To get in touch with us about implementing a solution for your agency, visit: agari.com/contact-us
To learn more about the government’s mandate and the challenges and best practices for implementing it, check out these resources:
To create a Plan of Action to submit to DHS, leverage our guide and template: