Last October, the Department of Homeland Security issued Binding Operational Directive (BOD) 18-01 with the intent to safeguard federal information and information systems. A key component of this initiative is to drive these agencies to implement SPF and DMARC email authentication protocols within 12 months.
Fully deploying email authentication prevents the spoofing of compliant federal agencies’ trusted domains. Enforcing DMARC can be difficult - due to the amount work that goes into an implementation project and the risk of blocking legitimate email – and so the timelines set by the DHS are aggressive.
At the time of the announcement of BOD 18-01, Proofpoint research found that 1 out of every 8 .gov emails was fraudulent. Clearly security measures to stop email fraud are needed and the DHS directive is a step in the right direction. With just a few months to go until the 12-month deadline is reached, our researchers looked at where the federal agencies stand with regards to BOD 18-01 compliance.
Our comprehensive email authentication compliance analysis took place in early July 2018 and reached across all civilian agency domains listed at https://catalog.data.gov/dataset/gov-domains-api-c9856. Our team ran both SPF and DMARC queries for all domains to be sure to address syntactical correctness. We then reconciled that analysis to the BOD 18-01 compliance standards. In addition, the team analyzed the reporting addresses of the DMARC records to determine if the deployment was “blind” (no reporting address), in-house (pointing at the agency in question) or forwarding data to a 3rd party vendor. We then rolled the analysis up to an agency level.
Latest DMARC Federal Research
Interestingly, 28% of agencies have not started their DMARC compliance journey for any of their domains. Of the agencies that have started their DMARC compliance journey, about 72% are working on their implementation project themselves and gathering DMARC data. Only 19% of agencies have engaged a vendor to help them implement email authentication and a small percentage of agencies have blind DMARC deployments and are not gathering any data at all.
Of the total domains included in the directive, 36% have already achieved the 1-year compliance standard of publishing a valid SPF record and a valid DMARC record with a “reject” policy, a further 22% have satisfied the January 2018 standard of publishing a DMARC with a “monitor” policy but have more work to do, while 42% are not even compliant with the January milestone, due to SPF and/or DMARC gaps.
Based on this research, it seems unlikely that all agencies will reach DMARC compliance for each of their domains by the October 2018 deadline – given that this deadline is only a few short months away. A major reason for this outcome could be that BOD 18-01 was sprung upon the agencies with little advanced notice. Without having previously budgeted to become compliant within the DHS’ deadlines, many agencies have had to make their best effort with the internal resources they have available. Another hypothesis for the agencies’ compliance delay is that, while DMARC authentication is a critical security measure, it is one piece of their overall security portfolio.
BOD 18-01 is an important step set by the Department of Homeland Security to restore trust to internet-delivered data from federal agencies. But, implementing DMARC is a significant project and can be especially challenging to try to accomplish compliance within aggressive deadlines. You do not have to take this journey alone.
Proofpoint provides the tools and services to help you implement DMARC authentication quickly and safely. But more than that, Proofpoint offers the visibility and controls needed (including DMARC authentication) to solve the entire email fraud challenge – protecting your agency and everyone who receive email from you.
Learn more about how Proofpoint can help you implement DMARC efficiently and how to solve the entire email fraud problem at: https://www.proofpoint.com/us/solutions/email-fraud