It’s been a year since the Department of Homeland Security’s BOD 18-01 got the U.S. federal government started on a historic transformation of its anti-impersonation posture. Today, the federal government is far better protected from impersonation attacks than the private sector. BOD 18-01 doesn’t apply to state and local governments — and our research shows there’s a big opportunity there for a comparable transformation.
In the latest Valimail research, The State of State and Local Email, we analyzed the publicly accessible DMARC and Sender Policy Framework (SPF) records for 4,273 state and local government domains across the U.S. in order to see which of them are protected from impersonation attacks. And from the results, it’s clear that they are at the very beginning of the email authentication journey.
Why Should State and Local Governments Implement Email Authentication?
State and local government entities are responsible for critical infrastructure, voting systems, and more. Without the proper mechanisms in place, the domains associated with these entities can be impersonated, meaning anyone could send email appearing to be “from” them. Protecting these domains from email impersonation should be a top priority. With email authentication through DMARC at enforcement, criminals are blocked from impersonating their domains and citizens, employees, and government officials can trust that an email from one of these domains is authentic. (For an overview, see our infographic: Why Email Authentication Matters to Local Governments.)
So let’s dive into the report.
Since state and local governments are not subject to the same directive as federal agencies, it wasn’t surprising to see low DMARC usage rates: Less than 1 percent of our state and local domains are protected.
Only 220 have a DMARC record, and of those:
- 25 are protected against impersonation attacks with an enforcement policy
- 63 of the records are invalid due to syntax or other misconfiguration
- 132 are valid but are not enforced
Without enforcement, there is no protection.
As a subset of this group, we looked at primary state domains (<state>.gov, <state abbreviation>.us, and <state abbreviation>.gov). In this smaller group, none of the domains are protected against exact-domain impersonation with a DMARC record at enforcement. Only 12 of the 153 domains have a DMARC record at all, but all of those 12 are valid.
What Can Be Done?
Governments should not be discouraged by the low usage rates, however. In just one year (October 2017 to October 2018), there has been a 14x increase in the number of federal agencies protected by a DMARC record at enforcement. Although state and local governments are not obligated to implement email authentication under a federal directive, these results should serve as proof that governments can move quickly and effectively to protect their communications — and that implementing DMARC to a policy of enforcement is the way to do it.