Government Contractors Have Deployed, But Aren’t Enforcing DMARC

A new report from Valimail released today found that Federal contractors have deployed Domain-based Message Reporting, Authentication, and Conformance (DMARC), but aren’t enforcing it. DMARC is an email authentication, policy, and reporting protocol, designed to combat incoming phishing and spoofing email spam.

The push behind DMARC for Federal contractors began last year when the Department of Homeland Security (DHS) issued a binding directive–Binding Operation Directive 18-01–requiring agencies to deploy DMARC. According to the directive, agencies had to implement DMARC at a monitoring-only level by January 15, 2018, and move their DMARC policies to “reject” by October 16, 2018.

DHS has seen strong deployment results, with 70 percent of Federal domains now having DMARC records and 31 percent protected by enforcement policies. DHS’ Jeanette Manfra commented on her agency’s success with encouraging widespread DMARC adoption at MeriTalk’s Akamai Government Forum on June 14.

“Government’s actually doing the best [at DMARC adoption],” Manfra said. “Here’s this powerful tool that not a lot of people were really adopting. You had all the mail service providers that adopted it, but for those of you know how it works, you need host sites to adopt it. And in the government, we were really able to take a leadership role in that space, something I’m really proud of, and encourage something in the ecosystem across the board. And frankly, now other countries are adopting it as well. And while it’s not going to solve world hunger–it’s not blockchain–it’s going to make an enormous difference in something as simple as email security, and individuals being able to trust that an email that’s represented as coming from your Federal government is an email coming from your Federal government.”

While contractors were not included in BOD 18-01, many have jumped on the DMARC bandwagon. Valimail found a higher rate of DMARC deployment among the top 100 Federal contractors than in almost any other private sector industry, but also found that enforcement is lagging behind.

The report found that 46 percent of the top 100 Federal contractors are using DMARC. However, DMARC enforcement is low, at just 5 percent. The enforcement rate may surge this fall, as Federal agencies have until October 16 to set their DMARC policies to enforcement. Since Federal contractors were quick to adopt agency standards when it came to deployment, there also may be an uptick in enforcement rates later this year.

Recent