• by Ray Schultz , September 21, 2018

Federal agencies are getting closer to the required full adoption of DMARC (Domain-based Message Authentication, Reporting and Conformance), the email authentication tool. But many still have a way to go to meet the October 16 deadline set by the Department of Homeland Security (DHS) -- apparently including the White House, according to an update by Agari.  

Of 1,144 executive domains required to comply, 64% have implemented a "p=reject" DMARC policy, the highest level -- up from 52% in July. But the remaining 417 need to make a “massive sprint” to comply with the DOH requirement, states Patrick Peterson, founder and executive chairman, Agari.

The study shows that 83% had implemented DMARC at the lower "p=none" level, the minimal level required by DHS by the original 90-day deadline of Jan. 15, 2018.  Only 17% overall have no policy.

But 52% of the domains of the Executive Office of the President have implemented no policy, and only 36% have adopted the highest standard.

At its most secure level, DMARC protects a firm’s email domain from being spoofed, making phishing emails appear that they are from legitimate organizations.

Of the domains that have a “p-reject” policy, 60% are “defensive domains,” configured not to send email.

“Work remains to be done, and we look forward to full implementation by U.S. government agencies, greater adoption of DMARC by federal contractors and other businesses, and increased DMARC use by governments around the world," adds Philip Reitinger, CEO of the Global Cyber Alliance.