Oct 16, 2018

Many government agencies miss email security deadline

Email inbox

Photo: Mike Clarke / AFP via Getty Images

A year ago, the Department of Homeland Security gave nearly all civil federal agencies 12 months to adopt an email security standard that prevents email fraud. In data as recent as Monday, 2 sets of researchers show that between a quarter and a half of those agencies' web domains failed to meet the Tuesday deadline.

Why it matters: Email was not designed to check whether a message claiming to be from an email address actually came from that address, and that's a big gap. Just imagine how much chaos an attacker could cause by sending fraudulent emails messages from "[email protected]." When properly set up, DMARC plugs that security hole.

Details: DMARC (formally Domain-based Message Authentication, Reporting and Conformance) lets email programs check if a server sent a message. If not, DMARC can instruct it to reject the message, send the message to spam or do nothing out of the ordinary.

  • "It's a common sense security measure, and it makes no sense to allow criminals to send fake emails," said Patrick Peterson, executive chairman and founder of email security firm Agari.

Homeland Security gave agencies until Tuesday to implement the reject option.

  • Intelligence and defense agencies were exempt and, according to a study by the security advocacy group the Global Cyber Alliance and Agari, almost entirely did not comply.

By the numbers: Of 1315 federal web domains checked Monday morning, email security company ValiMail determined only 57% had met the federal mandate. In the more formal study by the Global Cyber Alliance and Agari, a different sample of 1144 sites found that 74% had complied. That leaves between 26% and 43% that have not.

  • Agari found more distinct sites that met the mandate and VailMail found more distinct sites that didn't. Based on those findings, at least 851 comply with the mandate and at least 564 did not.

Some extremely big-name agencies fall far short on DMARC, according to the Global Cyber Alliance / Agari study.

  • 13 out of 25 —more than half — of the tested domains run by the Executive Office of The President (colloquially known as the White House) had not implemented DMARC. Another 3 of the domains implemented DMARC without setting it to reject email.
  • Just under half of the Department of Commerce domains (25 out of 52) had not implemented DMARC.
  • Amtrak's lone domain had not implemented it, either.

ValiMail CEO Alex Garcia-Tobar notes that the results of his group’s work are encouraging and disappointing at the same time.

  • "The government has made amazing progress — going from 4% last year to over 50% this year. I've never seen them work this quickly on a security project," he said.
  • On the other hand, the unimplemented systems could be a real problem, Garcia-Tobar said. "Anything less than 100%, agencies are wide open to impersonation."

Don't forget: Not all compliant domains are created equal. Valimail found the compliance rate was, for example, much higher in domains that did not send out emails than in the ones that did.

  • "It’s much harder to put rules in place for domains that send emails than ones that don't," said Garcia-Tobar.
Go deeper