Agencies race to implement email security tool

The federal government’s use of a security tool that cracks down on fake emails has surged in recent weeks as agencies with .gov domains rush to meet a deadline to implement the tool and bolster cybersecurity, according to new research.

The tool, called the Domain-based Message Authentication, Reporting, and Conformance (DMARC), helps organizations that use it identify fraudulent messages purporting to come from their email domains. 

{mosads}The Department of Homeland Security (DHS) announced in mid-October that it would mandate that organizations operating .gov domains use DMARC as well as HTTPS to encrypt web traffic. Homeland Security gave departments and agencies 90 days, or until mid-January, to comply with the directive. 

According to research released Tuesday by data security company Agari, the adoption of DMARC throughout the federal government increased by 38 percent in 30 days between mid-November and mid-December, indicating a “rapid adoption” of the tool ahead of the Jan. 15, 2018, deadline set by Homeland Security.

As of mid-December, 47 percent of federal government domains were secured with DMARC, compared with 34 percent a month prior. According to Agari, 151 federal government domains are newly secured with DMARC, raising the total to more than 400.

DMARC allows organizations to report emails that fail authentication tests or, if stronger settings are enabled, send the messages to a recipient’s spam folder or block them from reaching the recipient altogether.

Federal agencies are required to move to the strongest “reject” setting of DMARC within a year. 

In a statement, Jeanette Manfra, a top cybersecurity official at DHS, underscored the need for remaining agencies to act quickly to implement the tool before the “imminent” deadline. 

“DMARC has proven to be an effective solution to secure our federal domains, but more work is needed to protect all federal domains,” Manfra said. “Cybersecurity is a critical component of our homeland security policy, but it is also a shared responsibility. It is crucial for U.S. citizens to trust that an email from a government agency is legitimate.”

The U.S. Senate, Department of Veterans Affairs and Department of Health and Human Services (HHS) are among the government bodies using the tool on the highest security setting. HHS alone has 120 domains and over 200 sub-domains that are protected; these domains send over 30 million emails each day.

Some, including the Federal Trade Commission (FTC) had already been using the tool before Homeland Security issued the directive in October. The FTC recommends that businesses use the email authentication tool in order to crack down on phishing emails.

Phishing emails are a common technique used by hackers to deliver malicious links to a victim in order to gain access to their email. It was how hackers harvested troves of messages from Clinton campaign chair John Podesta’s personal email that were later published by WikiLeaks ahead of the 2016 election.