Dmarc as a Service

This Independence Day, celebrate U.S. cybersecurity progress

It’s been almost nine months since the Department of Homeland Security issued a directive mandating that all U.S. federal agencies implement several security-enhancing measures, including DMARC, HTTPS, and STARTTLS.

At the time BOD 18-01 came out in October 2017, only 18 percent of the 1,315 U.S. federal domains had a DMARC record, and about only about 4 percent were protected by DMARC at enforcement. If you were skeptical about the government’s ability to move quickly on this technological mandate, your skepticism might have been justified.

But the Feds proved the naysayers wrong. Three months after the directive, almost 55 percent of federal domains had DMARC records. And today, that number stands at more than 70 percent of all federal domains.

Even better, more than 42 percent of federal government domains are now protected by DMARC records at enforcement — a policy setting of p=reject or p=quarantine — which means that emails impersonating these domains will be rejected  or sent to spam folders.

The DHS didn’t merely order agencies to deploy DMARC, it also required that the agencies move those DMARC records to “reject” policies by October 16, 2018. This is smart, because without an enforcement policy, DMARC does not provide protection against impersonation. Once all federal domains are locked down with enforcement policies — and to be fair, this will probably take longer than until October 16, 2018 — the government and its citizens will enjoy far greater protection from hackers, because these agencies will be much harder to impersonate.

DMARC is not the only area where the government is making progress. The federal government website Pulse shows that 65 percent of federal domains are compliant with BOD 18-01’s HTTPS requirements. That includes not just using HTTPS, but also deploying stronger forms of encryption, using HTTP Strict Transport Security (HSTS), and preloading federal websites as HSTS-only in compatible modern browsers.

These changes will not stop all cyberattacks. But they do cut off the most common avenues of attack: Phishing via email, for instance, is implicated in over 90 percent of successful attacks, and the predominant form of phishing is same-domain impersonation. Utilizing these standards will force hackers to try harder avenues of attack, rendering government agencies that much more secure.

More importantly, the embrace of HTTPS, DMARC, and other security standards has clearly put the U.S. government in a leadership position with regard to cybersecurity. And that’s something we can all celebrate this 4th of July.