Study: U.S. Government Contractors Making Progress in Anti-Impersonation Tech

Top Suppliers’ Usage of Email Authentication Tech Is Nearly 50% — But Enforcement Lags

SAN FRANCISCO, June 21, 2018 — Valimail, the world’s leader in automating email authentication, today released an original research report on the anti-impersonation protection status of the largest suppliers of goods and services to the U.S. government.

The top 100 contractors to the federal government are not covered by the same cybersecurity requirements as the agencies they serve, but it appears that they have embraced some of the same directives. These contractors have a higher rate of using the industry-standard Domain-based Message Authentication, Reporting & Conformance technology than almost any other sector Valimail has examined. However, their rate of DMARC enforcement is low, at just 5 percent, which means that most of these companies still lack protection against impersonation (i.e. spoofing or fake emails).

For this report, Valimail analyzed the primary domains for 98 of the largest 100 contractors for the fiscal year 2017 (minus two for which domain names were not available). Valimail’s analysis included examining these companies’ publicly accessible DMARC and Sender Policy Framework (SPF) records from the Domain Name System (DNS).


Valimail’s findings include:

  • 5 out of the 98 federal contractors are protected from domain-based email impersonation. For the rest, phishers can easily use the companies’ domain names in the From: fields of their messages without repercussions.
  • 38 contractors have DMARC records that are correctly configured but simply aren’t set to an enforcement policy. These contractors may be collecting data on how their domains are being used for email, but they lack protection from spoofing.
  • 2 had DMARC records that were incorrectly configured.
  • 53 contractors have no DMARC records at all.

“While the  DMARC adoption rate in this industry may seem low, at 46 percent, it’s actually far higher than almost any industry Valimail has studied, with the exception of the Federal government itself,” said Alexander García-Tobar, the CEO and co-founder of Valimail. “This is a testament to the leadership shown by federal agencies in embracing DMARC. However, given the low enforcement rates, it’s also clear that both agencies and the contractors that serve them have far to go before they are protected from the most pernicious and most common form of cyberattack: The impersonation attack.”

To view Valimail Industry Report on Federal Contractors, visit:

Subscribe to our newsletter