On October 16, 2017, the U.S. Department of Homeland Security issued Binding Operational Directive (BOD) 18-01 that mandates the implementation of specific security standards to strengthen email and website security among government agencies.
As part of this DHS mandate, all federal agencies that operate .gov email domains must implement a DMARC “monitor” policy within 90 days and must progress to an enforcement policy of “reject” within 1 year.
Email – despite its importance, ubiquity, and staying power – has never been secure. Prior attempts at security have failed to solve email’s fundamental flaw: Anyone can send email using someone else’s identity. This flaw has put the power of the world’s most admired brands and federal agencies in criminal hands. Through email, criminals can use almost any brand to send spam, phishing emails and malware installers, inflicting direct losses on customers and eroding the brand equity companies have spent years building.
Approximately 70% (by volume) of all private sector email is protected by DMARC. Unfortunately, US government have been slow to adopt this crucial email security standard. As of November 2017, only 32% of federal agency domains had published a DMARC policy to comply with the DHS mandate. This leaves government agencies and their constituents vulnerable*. Agari’s data shows that 25% of all emails sent from government domains are unauthenticated and potentially malicious. *
Despite these sobering statistics, there have been early adopters within the government sector who are paving the way and setting an example for those who follow. Early government agency adopters of DMARC include:
- The United States Postal Service
- The United States Census Bureau
- The Department of Health and Human Services
- The United States Senate
- The Department of Veterans Affairs
- U.S. Customs and Border Protection
- The FDIC
WHAT IS DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an open email standard published in 2012 by the industry consortium DMARC.org to protect the email channel. DMARC broadens previously established authentication standards for email and is the only way for email senders to tell email receivers that emails they are sending are truly from them.
DMARC enables agencies that send email using .gov domains to:
- Authenticate all legitimate email messages for their email-sending domains, including messages sent from their own infrastructure as well as those sent by authorized 3rd parties
- Publish an explicit policy that gives mailbox providers a clear path on how to handle email messages that cannot be proven authentic. These messages can either be sent to a junk folder or rejected outright, protecting unsuspecting recipients from exposure to attacks
- Gain intelligence on their email streams by letting them know who is sending mail from their domains. This data helps companies to not only identify threats against their customers, but to also discover legitimate senders that they may not even be aware of
DMARC is designed to be deployed in stages. Companies generally start in “monitor” mode using what’s known as a “p=none” policy. This provides feedback about servers using the domain name in the “From:” header of the email messages they send. The domain owner then uses this information to make adjustments to their SPF and DKIM configurations until all of their legitimate mail sources are properly authenticated.
At this point, the policy can be tightened to “quarantine,” which sends unauthenticated messages to the recipient’s spam folder. The final configuration is “reject,” where unauthenticated messages are blocked outright.
Most organizations have been using email since the 90s, and must undo two decades of bad practice. This means a successful DMARC implementation can be a challenging proposition.
Most agencies, working to comply with the DHS mandate, don’t realize how complex their email ecosystem is until they begin getting aggregate data from DMARC reporting. Standard reporting comes in the form of individual XML files that specify domain names, IP addresses and authentication details. While many tools can parse and visualize this data, making sense of the stream and understanding what subsequent actions to take can be very difficult and error-prone. Simply put, making sense of the raw data contained in DMARC XML files requires a deep understanding of email’s technical minutiae.
It can be increasingly difficult to identify and understand third-party senders and ensure that they are authenticating properly. As cloud and software-as-a-service platforms proliferate, a greater percentage of an organization’s outbound email originates from outside their infrastructure. Regardless of origin, these are legitimate emails that need to be properly authenticated.
While a successful DMARC implementation will result in improved marketing efficiency and reduced fraud-related costs, there is also a cost of doing it wrong. Despite the emergence of new messaging platforms, email continues to be a critical vehicle for communication and digital engagement for organizations of all types. Incorrectly configuring authentication can lead to false positives, deliverability issues, and agency reputational damage. Taking the final step to a “reject” policy can be a daunting prospect if the business impact of undeliverable email is unknown or cannot be predicted.
NEXT STEPS TO MEET THE DHS MANDATE
There are a number of companies that offer some level of DMARC implementation services, and like most competitive markets, it can be difficult to divine fact from fiction when assessing their marketing claims. Many vendors will offer a free personalized audit of your email authentication processes and then map out a plan to meet all milestones to comply with BOD 18-01, all the way from “monitor” to “reject.”
- When evaluating DMARC implementation solutions, it might be helpful to ask the following questions:
- How long have you been focused on DMARC implementation?
- Did you acquire an authentication tool to meet a portfolio gap?
- What’s the largest environment (number of domains) that you’ve brought to “reject”?
- What percentage of all federal agencies that have employed DMARC use your product?
- Can you automatically generate a visual display (not just IP addresses) of all senders emailing on my behalf?
- How do you discover and validate the senders?
- What non-standard approaches do you use for maintaining SPF records?
- If I decide to switch vendors at some point in the future, do I have to start over or will the work I’ve done with you carry over to the new vendor?
- How is your environment protected from attacks?
- Does your solution make it easy to create, share, and schedule ad-hoc reports?
- What sort of executive level reporting does your solution provide?
- Can your solution tell me how I’m doing relative to my industry peers?
- Do you support role-based and domain-based access control that can map to my organization’s process and security models?
- Do you support Single Sign-On (SSO) access to the application?
- Do you have an app that pulls relevant information from brand/domain events into a SIEM such as Splunk?
- Do you have an API, so I can create custom integrations to other tools?
The logical early adopters of DMARC were the original high-value targets of phishing: Financial Services, logistics, eCommerce, and social networking platforms. However, government agencies should be equally concerned with domain name spoofing to protect their reputation and safeguard their citizens. Today’s federal agencies are woefully unprotected against phishing attacks. The recent DHS mandate for all agencies to implement DMARC on .gov domains underscores this fact.
Of the early Federal DMARC pioneers, Agari is the leading vendor providing DMARC implementation solutions to the federal government. To get in touch with us about implementing a solution for your agency, visit: agari.com/contact-us
To learn more about the government’s mandate and the challenges and best practices for implementing it, check out these resources:
To create a Plan of Action to submit to DHS, leverage our guide and template:
- Agari analysis based over 1300 federal agency domains, October 2017