Monday marks a digital security milestone for United States federal agencies.
By January 15, all agency domains are required to have valid SPF and DMARC records, according to an October directive from the Department of Homeland Security (DHS).
SPF, or Sender Policy Framework, is a common email authentication protocol designed to detect email spoofing. The email validation system authorizes mail from particular domains as safe, and less likely to contain malicious content.
DMARC, or Domain-based Message Authentication, Reporting & Conformance, builds on top of SPF to further strengthen email security by dictating to mailbox providers how they should handle dubitable emails. For example, brands that have fully implemented DMARC may implement a policy that rejects any incoming mail that isn’t authenticated. The email authentication protocol helps fight email-based phishing attacks by limiting the volume of malicious email that makes its way to a consumers’ inbox.
The DHS mandate requires all federal agencies to adopt a “p=none” DMARC policy. This means that email domain owners receive reports on any emails sent through their domain, potentially alerting them to nefarious intentions. The problem with a “p=none” policy, however, is that email recipients still receive the malicious emails and can still be susceptible to phishing attacks.
A “p=reject” policy, on the other hand, instructs mailbox providers to hold any emails that fail to pass email authentication measures.
A recent study of government domains by email security startup ValiMail, published at the beginning of the year, found that as many as 90% of .gov addresses can be easily impersonated with fake emails.