• by Ray Schultz , July 26, 2018

Federal agencies are on course in the mandated effort to employ DMARC (Domain-based Message Authentication, Reporting and Conformance), an email authentication standard.

Among 1,144 executive branch domains required to adopt DMARC by October 16, 81% have done so, according to a study by Agari. In contrast, 67% of the Fortune 500 have not published a DMARC policy, Agari adds.

The federal requirements are specified in the Binding Operational Directive (BOD) issued last year by the U.S. Department of Homeland Security (DHS).  

Agari also reports that 52% of the executive domains have implemented a  “p=reject” policy, to prevent unauthorized email from being sent, ahead of the October deadline required by the BOD. However, 66% of those are defensive domains that are not configured to send email, and these are the easiest in which to implement the policy.

The Department of Health & Human Services is ahead of all other agencies in implementing “p=reject” — it has secured 97 domains. Agari states that “p=reject” is the strongest enforcement level of DMARC compliance.

The study also notes than 26% of the executive branch domains have adopted the “p=none” monitor policy — a first step in implementing DMARC. This policy enables domain owners to monitor their email for issues, but does not prevent them.

Also, only 26 executive branch domains have a quarantine policy, which sends emails that fail DMARC authentication into the spam folder — and 14 of those are maintained by the DHS. 

Patrick Peterson, founder and executive chairman, Agari, states that “federal DMARC adoption now greatly outpaces private industry. However, almost half of executive branch domains are still unable to prevent unauthorized emails from being sent on their behalf, so there is still concern and uncertainty when it comes to authenticating the identity of email senders.”

Philip Reitinger, president and CEO of the Global Cyber Alliance. Adds that “the progress made by the U.S. Federal Government is encouraging.” But he adds, “The private sector should take note of this effort and follow suit.”

Agari works with the DHS to report on federal DMARC adoption.