DHS makes a big leap forward in ensuring email security
This week, the Department of Homeland Security announced that it would begin requiring Federal agencies to implement DMARC within 90 days. (See here for the text of the DHS directive about DMARC and STARTTLS.)
The directive is a huge step forward for government communications, and for the email ecosystem generally. If implemented at enforcement, DMARC will instill a level of trust in the emails coming from Federal agencies that we haven’t had before. Individuals and enterprises will know that the emails they receive from these agencies are legitimate.
Fraudulent messages from government agencies are an effective channel for a number of attacks against both consumers and enterprises. Such phishing attacks are already seen in the wild. DMARC at enforcement will shut down this avenue of attack and force hackers to use more obvious and easy to detect methods.
For instance, hackers cannot use the legitimate domains of DMARC-protected agencies in their emails, so they’ll be forced to use other, more easily detected domains. This makes it much easier for recipients to detect these fraudulent emails.
It’s not just government domains that are getting abused like this. Phishing via email impersonation is the most common vector for cyberattacks today. Private sector companies would do well to follow the DHS’s lead and implement DMARC on their own domains as well.
However, it’s not enough to simply publish a DMARC record to DNS — you have to get to enforcement to get real value out of DMARC.
At enforcement, receiving mail servers are instructed to quarantine (flag as spam) or delete messages that fail authentication. But getting there requires authenticating all of an organization’s legitimate senders – both internal and cloud services sending on their behalf.
Unfortunately, only about 20% of companies succeed at getting to this point. That’s because of the complexity of modern email systems: Most companies have dozens of cloud services sending on their behalf, and getting them all whitelisted proves tricky for many companies. We’re seeing progress in some areas, like the biggest financial companies, but across the board, the rates of enforcement are still quite low.
This is also true in the federal government: Valimail’s analysis of more than 1,300 .gov domains shows that while 18 percent have published DMARC records, a significant number contain serious errors. Even more are set to the most non-restrictive policy, p=none, which provides no protection against impersonation. Only 4 percent of .gov domains have valid DMARC records that are set to an enforcement policy (p=quarantine or p=reject). The rest are still vulnerable to email impersonation. And for military domains (.mil domains as well as other sites like GoArmy.com), none at all have published DMARC records.
Valimail’s ValiGov™ Service can help, as we are offering to get any federal government domain in compliance with the DHS mandate immediately, and for free. To get started, agencies simply need to delegate a DMARC record to Valimail, which will give them visibility over all email activity on their domains. We will not charge federal agencies until we get them to an enforcement state.
About Peter Goldstein: The CTO and co-founder of Valimail, Peter is an MIT- and Stanford-trained technologist who has worked in a variety of software verticals including security, enterprise, email, and video. He has built products and teams at a number of large technology companies such as RSA Security and Perot Systems, as well as at small startups like Tout, Securant, and Swapt.