The U.S. Department of Homeland Security issued a binding operational directive (BOD) requiring all federal agencies that use .gov email and website domains to secure email and deploy authentication technologies in the coming months, the DHS announced Monday.
In the next 30 days, all federal agencies are mandated to develop a plan to implement the Domain-based Message Authentication, Reporting & Conformance (DMARC) security protocol, which is designed to prevent phishing and spamming attacks.
DMARC creates a whitelist of verified senders, then seeks to deliver only authenticated emails and delete fake ones before a user sees them. It also has the potential side benefit of reducing "shadow IT" by restricting the ability for company employees to send out unauthorized email campaigns.
Three categories of filtering exist under DMARC: monitoring email for phishing and spam, quarantining emails that fall into this category, and, lastly, deleting such emails.
Within the next 90 days, all federal agencies are required to have their DMARC plans in place and, at a minimum, have begun monitoring emails.
Over the coming year, the DHS aims to have 100% of federal agencies rejecting phishing and spam emails, said Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications at the DHS, during a joint-press conference with the Global Cyber Alliance.
"Citizens who depend upon interaction with the government deserve a trusted relationship. So, if they see an email from the IRS or FEMA, they need to believe and trust it is an email from the IRS or FEMA," Manfra said.
Additionally, within the next 120 days, all federal agencies will be required to use encryption on their websites via HTTPS and STARTTLS for email.
DHS has been working to implement DMARC over the past year and in the spring ramped up its efforts to encourage federal agencies to adopt the protocol. But, apparently, that was not enough.
"We felt in talking with all the agencies that we needed a little bit of a push to get people to really prioritize it and focus on it," said Manfra, who noted the DHS has previously used a BOD in a few cases with federal civilian offices.
DMARC Industry Details
Google, Yahoo, and Microsoft email services support DMARC, providing a large leg up in migrating consumers to the security protocol. The DHS reports 4.8 billion inboxes worldwide support DMARC, accounting for 76% of global email accounts.
Federal agencies and enterprise companies are far from the 50% DMARC level, according to the DHS and industry reports.
Two-thirds of Fortune 500 companies, meanwhile, have not deployed any level of DMARC, according to an analysis of DNS records by Agari.
Agari's report found 25% of survey respondents chose to only monitor email, 3% have a quarantine policy, and 5% have implemented a reject policy. Agari lumped the organizations that only monitor email into the category of not deploying any level of DMARC, because users would not have received the protection of having their emails quarantined or rejected.
DMARC Deployment Delays
The majority of DMARC deployments fail, according to a report last year by ValiMail. The report found 62% to 80% of DMARC efforts failed.
The protocol's low adoption rate may be blamed, in part, on a lack of education by users, as well as a hesitation to try a new technology, industry experts say. ValiMail also pointed to a reluctance to change back-end email systems, which have complex DNS tables.
But the Global Cyber Alliance (GCA) says implementing DMARC is not difficult. Shehzad Mirza, GCA's director of global operations, says the organization has a relatively easy DMARC setup guide on its website.
"Anyone with an email domain, small businesses, large businesses, should be using it," Mirza says.
Enterprises Stand to Win
Enterprises will "absolutely" benefit from the mandate, says Patrick Peterson, Agari's founder and executive chairman.
"This mandate will reduce risk for the enterprise as many phishing and malware attacks impersonate government agencies such as recent threats highlighting SEC and IRS spoofing. This leadership from DHS also sets a clear message that DMARC is valuable and should be implemented at scale which will drive enterprise awareness and adoption," says Peterson.
Peter Goldstein, chief technology officer and co-founder of ValiMail, also agrees enterprises stand to benefit from the DHS mandate.
And although Goldstein applauds the DHS's mandate, he cautions it is not enough to publish a DMARC record to the DNS.
"You have to get to enforcement to get real value out of DMARC," says Goldstein. "At enforcement, receiving mail servers are instructed to quarantine (flag as spam) or delete messages that fail authentication. But getting there requires authenticating all of an organization’s legitimate senders — both internal and cloud services sending on their behalf."
He noted that only 20% of companies succeed at reaching this point because of the complexity of modern email systems, which include dozens of cloud services a company may use to send emails on their behalf. As a result, it may prove tricky for many companies to get all of these services whitelisted, he says.
"We're seeing progress in some areas, like the biggest financial companies," Goldstein says. "But across the board, the rates of enforcement are still quite low."
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.
- Phish Bait: DMARC Adoption Failures Leave Companies Exposed
- DMARC Continues To Confound Users, Report Says
- Hospital Email Security in Critical Condition as DMARC Adoption Lags
- How To Reduce Spam & Phishing With DMARC