1/3 of Government Email Domains Miss DMARC Deadline
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

1/3 of Government Email Domains Miss DMARC Deadline

The deadline for implementing Domain-Based Message Authentication, Reporting and Conformance was Tuesday.

The deadline for federal email domains to implement DMARC was on Tuesday and just over two-thirds managed to do it. That leaves around 33% of federal email domains vulnerable past the DHS’ deadline according to the Global Cyber Alliance.

This comes amid a year of staggered deadlines for DMARC implementation. DMARC helps to verify that the identity of an email’s sender in an effort to stop spoofing.

The 67 percent of government domains that made the Tuesday deadline, is a major jump from 8 percent that had DMARC installed when Homeland Security first issued that order, the department’s Deputy Assistant Secretary for Cyber Policy Tom McDermott noted during an event sponsored by the Global Cyber Alliance and the Cybersecurity Tech Accord.

So that’s progress, but it’s hardly the complete implementation the Department of Homeland Security, which oversees cybersecurity for the federal government, had hoped for.

1/3 of Government Emails Domain Miss DMARC DeadlineWhat is DMARC and why does this matter?

Let’s hash it out…

What is DMARC?

DMARC or Domain-Based Message Authentication, Reporting and Conformance is a system for email validation purpose-made to detect and prevent email spoofing. Our resident IT expert, Ross Thomas actually covered this during his series on email security:

Now that we’ve covered everything else, we’ll take a look into the master sword, the infinity gauntlet, the one ring of email security that binds some security pieces together to form DMARC (Domain-Based Message Authentication, Reporting and Conformance). DMARC utilizes DKIM and SPF (which are previous article topics) to report on how the email domain is doing: compliance, alignment, failures, etc.

To illustrate this point, Ross also tossed in this graphic from Agari:


I really recommend you read the whole article, but that should be sufficient.

Now let’s talk about why this matters.

Why is DMARC important?

Obviously, being able to snuff out spoof emails would be important for any company or organization, but for the federal government it can be a matter of national security. Granted, a number of things would have to also go wrong for it to get that far, but you need only look back to the plight of John Podesta, the chairman of the ’16 Clinton Presidential Campaign, as well as the DNC to see how much damage a spoofed email can do.

Now, neither of those attacks took place on federal domains, so this deadline wouldn’t have helped them one bit. But still, a cautionary tale does it make.

From the standpoint of the business or organization you’re with, there’s no shortage of anecdotal evidence as to why you should be adding systems like DMARC to your own email domains, as well as using digital certificates to help with email validation. Keep in mind:

Are you doing enough to protect your company’s email? The point here isn’t to scare you, it’s to reinforce that you’re potentially opening yourself and your employees up to legitimate risks if you aren’t doing enough.

As always, leave any comments or questions below.

Check out the rest of Ross’s Hashed Out Email Security Series:

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.