Federal agencies are significantly better than private sector organizations at enforcing domain-based message authentication, reporting, and conformance (DMARC) standards to combat email domain spoofing, according to a new report from anti-phishing company Valimail.
DMARC is an email protocol that determines the authenticity of an email message to prevent users from engaging with a potential phishing attack. The report listed Federal agencies as the most effective enforcers of DMARC policies. Of the 79 percent of Federal agencies with DMARC records, 93 percent meet enforcement standards – meaning domain owners reject unauthenticated messages or send them to the spam folder.
Private sector enforcement numbers are closer to 30 percent.
Valimail credited BOD 18-01, a 2017 directive from the Department of Homeland Security (DHS), for the high success rate. DHS mandated DMARC enforcement for executive branch domains by January 2018. Before the directive, the number of government agencies employing DMARC was below 20 percent, and almost no DMARC standards were being enforced.
“Although the mandate was unfunded, several things about it favored success: It was clearly worded, included specific guidance for agencies to follow, and was coupled with tools that agencies could use to check their status and interpret DMARC data,” the report states.
As of July 2019, state and local government DMARC efforts lagged the Federal initiative but trended upward. A previous Valimail report found that only eight percent of state and local domains employed DMARC standards, but this was still a 76 percent increase from previous years.
In total, about 80 percent of all inboxes did DMARC checks on incoming email messages throughout the second half of 2019. The numbers have continued to grow. Between January 2019 and January 2020, the number of domain owners publishing DMARC records increased by 70 percent.