(Updated 1/16 with new data)
In October, the Department of Homeland Security issued a directive that requires all federal agencies to implement DMARC for every domain they own.
Department of Homeland Security’s mandate, BOD 18-01 requires agencies to secure their email through DMARC and STARTTLS, and web pages through HTTPS.
The first significant deadline for BOD 18-01 is almost here. On January 15, every agency domain must have a DMARC record with, at minimum, a p=none policy.
Agencies have made a great start. When the mandate first emerged on October 16, 2017, only 18 percent of the 1,315 federal domains had a DMARC record. Three months later, as of January 16, that number has more than doubled and now stands at 54.7 percent, or 706 out of the 1,315 federal .gov domains. Eighteen of these domains added DMARC records over the federal holiday weekend.
The federal government now has a higher rate of DMARC deployment than almost any commercial sector we’ve looked at, including the Fortune 500 (34 percent), major U.S. banks (32 percent), and even Crunchbase “unicorns” (31 percent).
We predict that the vast majority of the government’s domains will have DMARC records within the next few months, even if they do miss this first deadline.
No Need to Panic
Gaining compliance with the January 15th requirement is not as difficult as it appears.
Especially in monitoring mode, DMARC does not have to be costly, risky, or difficult. As they learn this, many more agencies will find it’s easy to comply with BOD 18-01’s initial requirement to publish a basic DMARC record in monitoring mode.
DMARC can be implemented on any domain in about five minutes, with the addition of a single, one-line text record in DNS. Given the change control mechanisms that govern DNS updates in most organizations, that could realistically take several days to complete, but it’s not a heavy lift by any means.
This has no impact on other DNS services (such as the availability of the domain’s web servers) and, as long as the policy for the DMARC record is set to “none,” it will have no effect on whether email messages get delivered or not.
The most basic DMARC record also allows domain owners to specify an email address to receive DMARC aggregate reports, which provides an invaluable tool for collecting data on how the domain is being used by email senders.
When agencies turn on DMARC reporting, they will begin to see exactly which mail servers, cloud services, and even printers have been sending email using the agencies’ domains. Of course, phishers who are trying to impersonate the agencies with fraudulent emails will also show up in these aggregate reports. It’s the first step toward gaining control of their email ecosystems.
It’s a good sign that more than half of the federal government’s domains now have DMARC records. We’re optimistic that the vast majority of domains will have DMARC within the next few months.
Then it’s on to the next challenge — getting to enforcement, which is the point at which DMARC actually starts protecting agencies from fraudulent emails by blocking unauthorized senders. That won’t be an easy journey, but it too is eminently achievable within the next nine months.
The key will be automation: Automatically identifying senders, automatically configuring DNS records to match, and making it easy for domain owners to authorize or de-authorize senders with a single click.