DMARC Email Security Adoption Soars as US Government Deadline Hits

After a year of effort and preparation, the Department of Homeland Security's 18-01 binding operational directive for the use of DMARC email security goes into effect on Oct. 16.

email security

The U.S. government has advanced email security significantly over the course of the past year, thanks to the adoption of the Domain-based Message Authentication, Reporting and Conformance (DMARC) email security protocols.

As of Oct. 16, a large set of U.S. federal government agencies are required to be compliant with the Department of Homeland Security (DHS) 18-01 binding operational directive (BOD), which mandates the use of DMARC. The directive was issued in October 2017, giving agencies a year to incrementally implement the new email security approach.

"Overall, the DMARC adoption rate is now at 85 percent, which is practically the inverse of where we measured adoption last year," Patrick Peterson, founder and executive chairman at Agari, told eWEEK. "When the DHS announced BOD 18-01 last October, the adoption rate was only 18 percent."

DMARC is a protocol that helps protect the integrity and authenticity of email. DMARC is not a single technology but rather is a combination of several components, including the Sender Policy Framework (SPF) and Domain Keys Identified Email (DKIM), to help verify email authenticity. There are also different levels of DMARC policies. The "p=none" policy enables organizations to monitor their email systems for senders, while the "p=reject" policy will block non-compliant messages completely. BOD 18-01 mandates the use of the p=reject policy by Oct. 16.

"The adoption rate for reject policy is at an overwhelming 74 percent," Peterson said. "Forty-six federal executive branch agencies have reached full compliance, and many of the larger agencies have adoption rates well above 74 percent."

According to Proofpoint, the level of compliance with BOD 18-01 is a bit lower, with 62 percent of federal agency domains deploying a DMARC reject policy as of Oct. 11. In contrast, Proofpoint had previously reported that only 37 percent had the basic "p=none" monitor policy for DMARC in place back on Jan. 11.

"I'm not at all surprised that the number isn’t higher. In fact, I'm fairly encouraged that we are at 62 percent," Robert Holmes, vice president of email security for Proofpoint, told eWEEK. "Not only can DMARC be hard to implement, but the stakes are high if you get it wrong and good email gets blocked."

Holmes added that DMARC adoption by federal agencies does need to be celebrated as it marks a significant improvement. For example, Holmes said that IRS.gov used to be one of the most heavily spoofed domains in the world: now mailbox providers can make cleaner and better decisions in identifying and blocking fraudulent email coming from that domain.

Peterson said that Agari is also very pleasantly surprised by the positive improvement in U.S. government DMARC adoption. When Agari first measured federal DMARC adoption in October 2017, less than 10 percent of federal domains had implemented a reject policy.

"Obviously, BOD 18-01 has been a great success for the DHS and the federal executive branch domains it is charged to protect," Peterson said. "The United States government has set a shining example for how to improve email security. It didn’t happen overnight, but it did happen, which is a valuable lesson for private enterprise to learn."

Non-Compliance

While there is reason for optimism about the improved state of email security in the U.S. government, the reality is that not all federal agencies will meet the deadline. Peterson said that there are almost 300 domains that have not implemented a DMARC policy or moved past the basic monitoring policy. 

"Of these domains, 90 percent of them are actively sending email, which means they probably cannot just switch to a reject policy without negatively impacting their email ecosystem," he said.

Peterson added that just because an agency has not adopted DMARC does not mean it is are out of compliance because BOD 18-01 provides an alternative route to compliance: They can provide a plan to adopt DMARC to the DHS.

There are several challenges to adopting DMARC, both within the government and at commercial enterprises. According to Holmes, among the biggest challenges are education, as it takes time for commercial organizations and federal agencies to learn what is needed to properly implement DMARC. Email systems are not always run directly by an agency or organization, which is why Holmes said it is important to identify and work with third-party senders to update their authentication practices to comply with DMARC.

The opportunity for further DMARC adoption across the federal government and those that do business with government is something that Peterson is optimistic about.

"While the DHS directive only applies to a set of government agencies, the technology is equally relevant to the rest of the federal government, including the legislative branch, department of defense, intelligence community and defense contractors," Peterson said. "We are looking forward to those organizations following the success for the directive with their own adoption."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.