DHS Official: Agencies Say They’re on Track for Tuesday DMARC Deadline

Mike Duffy, acting deputy director for the Department of Homeland Security’s Federal Network Resilience Division, said today that many Federal agencies are expecting to have all of their .gov domains protected from email spoofing campaigns, ahead of an October 16 deadline to do so.

By next Tuesday, agencies are required to have active enforcement of the Domain-based Message Authentication, Reporting, and Confirmation (DMARC) protocol, which works to prevent unauthorized senders from impersonating Federal .gov domains through fraudulent email and using it as an attack vector to launch phishing and spoofing campaigns

Under a binding operational directive (BOD) from DHS, agencies were given a year to begin enforcement.

“We’re seeing agencies saying they’re on track to reach 100 percent by next Tuesday,” Duffy said today during a webinar hosted by Valimail.

But whether all of the CFO Act agencies required by the BOD to enforce the DMARC protocol will get there by Tuesday seems to be in doubt.

Duffy said today that more than 63 percent of Federal .gov domains have active enforcement, an uptick from recent research from multiple organizations, including Valimail and Agari, which put the number at about 50 percent.

It’s been a steady climb, as only 4 percent of agencies had DMARC enforcement policies at the time of the BOD’s release a year ago.

“By and large, agencies are very close, at 80 to 90 percent” across the various domains within each agency, Duffy said.

Some of the disparities in the reported enforcement percentages may stem from the fact that, according to Duffy, there are some 2,300 agency and cross-agency domains that need to be covered. Research from Valimail and Agari only tracked 1,315 and 1,144 domains, respectively.

That’s around 1,000 additional agency and cross-agency domains not tracked by the private sector. Duffy said today how essential an appropriate agency plan is to tackle the breadth of the .gov space, citing agency “concern” over the ability to “spin up resources and work up a plan to implement” among the many factors at play.

Those factors include the technical process required to arrive at enforcement policies, including specific domain name system (DNS) configurations, authentication of trusted sources, and rejection of non-trusted sources.

As a result, nearly all .gov domains have begun the DMARC process – around 93 to 95 percent have implemented an initial DMARC record, Duffy said. But the number of domains with active “p=reject” policies is still just 63 percent with less than a week to go.

Duffy noted that DHS has assembled technical experts, communications experts, and teams that work one-on-one with agencies throughout this process. If Tuesday’s deadline isn’t met, the work will likely be ongoing.

But progress is leading to tangible benefits. In August, Valimail CEO Alexander Garcia-Tobar said that agencies were seeing “jaw-dropping” impersonation statistics – from bad actors sending fraudulent email while masquerading as legitimate government senders. Today, Duffy said the Federal government is finally stemming the tide.

“We’re seeing that we’re dramatically decreasing that ability for bad actors to spoof the government,” he said.

Recent