Few large federal contractors are fully protected against domain-based email impersonation, according to a study by Valimail.
Of 98% companies studied, 46% have deployed DMARC, (Domain-based Message Authentication, Reporting & Conformance), a higher rate than almost any other sector, Valimail reports.
But only 5% are enforcing DMARC, leaving themselves open to phishing emails, it adds.
Valimail determined that 53 contractors have no DMARC records.
Another 38 contractors have correctly configured DMARC records, but have not set an enforcement policy. Two had incorrectly configured records.
These firms are not covered by the same cyber security requirements as government agencies.
"While the DMARC adoption rate in this industry may seem low, at 46% it's actually far higher than almost any industry Valimail has studied, with the exception of the Federal government itself," states Alexander García-Tobar, the CEO and co-founder of Valimail.
However, he adds that, “given the low enforcement rates, it's also clear that both agencies and the contractors that serve them have far to go before they are protected from the most pernicious and most common form of cyber attack: The impersonation attack."
Valimail analyzed the primary domains for 98 of the largest 100 contractors for the fiscal year 2017, DMARC and Sender Policy Framework records from the Domain Name System.