Valimail today announced the availability of the ValiGov™ Service, its email authentication product tailored to the needs of U.S. federal agencies.
The ValiGov Service offers a “free until enforcement” product for all U.S. federal government domains, enabling them to quickly come into compliance with the Department of Homeland Security’s mandate that federal agencies publish a valid DMARC record within 90 days (by January 14, 2018).
Valimail offers the only guaranteed enforcement email authentication product on the market today. The ValiGov Service will be free for U.S. government agencies to use until they achieve enforcement, which is a DMARC policy that instructs receiving mail servers to delete or quarantine messages that fail authentication.
Valimail began a pilot program of its ValiGov product with Fannie Mae earlier this year, resulting in complete protection from email impersonation of the government-sponsored enterprise’s many email domains. Fannie Mae, which is the largest provider of liquidity in the U.S. mortgage market, is now protected from all same-domain impersonations by Valimail’s technology.
“The success we’ve achieved with Fannie Mae inspired us to make this product more broadly available,” said Alexander García-Tobar, the CEO and co-founder of Valimail. “Within a month, Fannie Mae was already seeing benefits of email authentication at enforcement, and within six months we had protected all of their email-sending domains.”
DMARC, for Domain-based Message Authentication, Reporting, and Conformance, is a widely used standard for stopping fake, impersonated email by guaranteeing that only authorized senders can use an organization’s domain name in their emails. It allows domain owners to specify which senders are authorized, and set a policy for how receiving mail servers handle messages that fail to authenticate. When that policy is set to enforcement, it guarantees that emails using a domain name without authorization will not be delivered.
Valimail’s analysis of more than 1,300 .gov domains shows that while 18 percent have published DMARC records, a significant number contain errors. Even more are set to the most nonrestrictive policy, which provides no protection against impersonation. Only 4 percent of .gov domains have valid DMARC records that are set to an enforcement policy, Valimail has found. The rest are still vulnerable to email impersonation.
Furthermore, of 61 domains used by the military (including 51 .mil domains as well as defense.gov, goarmy.com, commissary.com, and other public-facing domains), zero have published DMARC reports. This means all of these military domains can be spoofed via email.
“This week’s announcement by DHS is particularly timely given that phishing has reached epidemic levels,” added García-Tobar. “Phishing rates observed by many analysts are higher than they have ever been in history, and phishing attacks are the primary vector for cyberattacks of all kinds. 91 percent of attacks start with a phish — and most of those phish are outright impersonations of a sender’s email address.”
The vast majority of the world’s inboxes — 76 percent, or 4.8 billion inboxes — support DMARC, including 100 percent of the U.S.’s largest email providers, including Google, Oath (Yahoo/AOL/Verizon), Microsoft, and more.
When domain owners publish DMARC records and set them to an enforcement policy, that means phishing and email impersonations are stopped outright — before they reach the inbox — without the uncertainty or risk of anti-phishing approaches based solely on content filtering or end-user training.