On October 16, the Department of Homeland Security announced that it is requiring federal agencies to implement DMARC on their email-sending domains within 90 days. (See here for the text of the DHS directive BOD 18-01 about HTTPS, DMARC, and STARTTLS.)
It’s a timely directive, given that the Internet is facing a historic explosion of phishing attacks and email impersonation exploits and a post-Equifax spike in phishing emails. Phishing remains the #1 vector through which all cyberattacks begin, and the majority of phish utilize same-domain impersonation. To pick just one subcategory of email fraud, business email compromise (BEC) has cost American businesses $5.3 billion since 2013, according to the Federal Bureau of Investigation. Across a variety of attack types, phishers use email to impersonate banks, credit card companies, cloud storage companies, and, yes, government agencies.
The U.S. government is particularly vulnerable. ValiMail’s analysis shows that 96 percent of government domains (.gov) are easy to impersonate with fake emails that appear to come from their domains.
While many .gov domains have attempted DMARC, few have succeeded in using it to stop fraud.
At a time when one in four emails from the government is fraudulent, this is a crisis that needs to be addressed. This crisis of email fraud harms businesses, consumers, and the American economy — and it hurts the credibility of the U.S. government.
The DHS directive is a step in the right direction, but it is only the first step.
The Solution Is DMARC With Enforcement
Email is fundamentally susceptible to fraud by design. Fraudsters take advantage of email’s “original sin” — that it was originally built without sender authentication— to send messages posing as government officials and elected representatives. Recipients tend to trust messages from government addresses, leading them to be more susceptible to clicking on links or downloading malicious attachments.
In this context, email authentication via DMARC is an effective response. When enabled and set to a policy of enforcement, it completely forecloses the ability for hackers to use a government domain in emails, limiting the domain’s use to authorized senders only.
Note: We define “enforcement” as a DMARC record that is correctly configured, with a policy of “reject” (p=reject) or “quarantine” (p=quarantine) for the domain and for its subdomains. These are the two policies that will keep email that fails authentication from landing in end-users’ inboxes. At quarantine, non-authenticating mail goes to users’ spam folders; at reject, it’s deleted outright.
The DHS directive comes several months after Oregon Sen. Ron Wyden called on the agency to make DMARC mandatory. DHS responded to that call with this directive. And it not only published a directive, it also paired it with a website containing extensive background information, including a useful and accurate introduction to email authentication and a detailed compliance guide that spells out just what agencies must do in order to comply with BOD 18-01.
This is just the kind of information that federal agencies need, because there is a long way to go before these agencies are in compliance with the directive.
Unfortunately, getting DMARC to a policy of enforcement is difficult. In ValiMail’s extensive analyses of various industry sectors, we have found that, on average, only about 20 to 25 percent of the companies that publish a DMARC record actually get to the point where they are completely protected from email impersonation through DMARC enforcement. Our analysis of government domains shows that the same issue is at play here.
Slow Progress In Top 10 Agencies
When we first examined U.S. government domains in January 2017, we looked at a list of 10 representative high-level government domains. What we found was a pretty low level of email authentication: Just one domain, SSA.gov, had implemented email authentication and set it to a policy of enforcement. Four domains had published an SPF record, which is one of the components of email authentication, but which on its own does not prevent fraudulent use of the domain in email. And five domains had either not attempted authentication or had done so but failed to achieve enforcement.When we checked again, after Sen. Wyden published his letter in July, the status of all 10 domains was the same.
Today, there is some improvement. FBI.gov has achieved enforcement, and there are signs that other domains are making progress toward it. But too many of these 10 domains are still not at enforcement, including whitehouse.gov (no DMARC record at all) and DHS.gov itself (DMARC record published but not at enforcement yet).
Federal Domains Largely Vulnerable
We obtained a list of all 1,315 federal .gov domains from the General Services Administration, and analyzed the public SPF and DMARC records for these domains as recorded in DNS. This list includes more domains than are covered by the DHS directive, which applies only to executive branch agencies and departments. For example, our list includes house.gov and senate.gov, the two key domains used by the legislative branch.
What we found is that there is a higher-than-average rate of attempted email authentication among federal domains: 18 percent, or 243 government domains in total, have published DMARC records. That’s higher than the 10 percent we see in many industries. Still, that leaves 82 percent that haven’t even started their DMARC journeys.
The agencies that have published DMARC records have low success rates in getting their DMARC records to enforcement. About half of the 243 have serious errors; only 124 of these domains have valid, complete DMARC records. And even fewer, 51 domains, or 21 percent of those who have attempted DMARC, have a DMARC policy at enforcement.
Unfortunately, that is typical, as we and others have found.
DMARC relies on and ties together two earlier standards, SPF and DKIM, which were developed in the pre-cloud era. Today, when many organizations use a dozen or more cloud services, all of which send email on their behalf, implementing this trio of standards is trickier. That’s because the standards, particularly SPF, have limitations that often trip up organizations aiming for DMARC enforcement.
Also, DMARC is tied to an organizational domain, like dhs.gov. When that organization has many sub-organizations, each of which has its own subdomain, like usss.dhs.gov, DMARC enforcement requires coordination across those organizations. That makes compliance that much more difficult.
SPF Provides No Protection Against Fraud
We know that .gov domains are interested in email authentication, because our analysis shows that more than 50 percent of these 1,315 domains have published SPF records, and most of those records are valid. That’s a good sign for the DMARC directive, because it indicates that government agencies are familiar with the basics.
However, it is much easier to publish a valid SPF record when there is no DMARC record involved. Once you add DMARC and aim for enforcement, you run the risk of accidentally blocking legitimate senders — unless you have some way of clearly identifying every single sender.
Finally, SPF can improve deliverability and provide some protection against spam, but it is not effective on its own as an anti-fraud measure. SPF can be spoofed.
In short, it’s no simple matter to get DMARC to enforcement with the confidence that you’re authorizing all the legitimate senders while blocking only malicious senders. Doing so within the DHS-imposed one-year timeline will no doubt be challenging for many agencies.
Military Domains Lag Behind
We compiled a list of military domains from various sources. Our list includes 55 .mil domains and 10 other domains used by the military (including defense.gov, goarmy.com, and commissaries.com).
While these domains are probably not covered by the DHS directive (which exempts national security systems and the DoD), they have the same needs for trustworthy communications as the rest of the federal government.
However, the picture here is simple, if stark: None of these 65 domains have published a DMARC record at all. The military’s core domains remain easy to impersonate through fake emails.
When it comes to SPF, military domains are also behind the curve. Only 10 of the 65 have published an SPF record, and two of those are invalid.
Federal agencies have until January 14, 2018 to implement DMARC on their domains at the most basic level (a policy of p=none), which provides visibility via DMARC aggregate reports but which provides no protection from email impersonation.
They then have until October 16, 2018 to get their email authentication to an enforcement state (p=quarantine or p=reject). If the federal government’s experience with DMARC to date is any indication, this is going to be a challenge for many agencies.
One particular area of challenge for many government domains will be subdomains. Organizational domains (like senate.gov) may be covered by DMARC at enforcement, but still leave subdomains (like cruz.senate.gov) open to impersonation. As a result, there is nothing stopping anyone from sending a fraudulent email as, say, firstname.lastname@example.org.
(See our analysis of the email authentication status of senate.gov.)
- Publish a DMARC record at p=none immediately, for each of your domains, in order to bring your domains into basic compliance with the 90-day requirement and to begin collecting DMARC aggregate reports.
- If the agency already has DMARC implemented, use ValiMail’s domain checker to see whether it is complete and valid, and to examine whether there are problems with the underlying SPF record.
- Read the DHS guidelines on implementation carefully.
- Read ValiMail’s four-part guide to email authentication for further high-level explanation of each standard involved (SPF, DKIM, and DMARC).
Finally, ValiMail offers a government-specific product tailored to the needs of U.S. federal domains. We invite interested IT and security personnel at federal agencies to check out ValiGov and contact us for more information on how we can help your domains get compliant, not just with a DMARC record, but with the one-year requirement to get DMARC to enforcement.