Sign up for our daily briefing

Make your busy days simpler with Axios AM/PM. Catch up on what's new and why it matters in just 5 minutes.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Stay on top of the latest market trends

Subscribe to Axios Markets for the latest market trends and economic insights. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Sports news worthy of your time

Binge on the stats and stories that drive the sports world with Axios Sports. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Tech news worthy of your time

Get our smart take on technology from the Valley and D.C. with Axios Login. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Get the inside stories

Get an insider's guide to the new White House with Axios Sneak Peek. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Denver news?

Get a daily digest of the most important stories affecting your hometown with Axios Denver

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Des Moines news?

Get a daily digest of the most important stories affecting your hometown with Axios Des Moines

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Twin Cities news?

Get a daily digest of the most important stories affecting your hometown with Axios Twin Cities

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Tampa Bay news?

Get a daily digest of the most important stories affecting your hometown with Axios Tampa Bay

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Charlotte news?

Get a daily digest of the most important stories affecting your hometown with Axios Charlotte

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Photo: Mike Clarke / AFP via Getty Images

A year ago, the Department of Homeland Security gave nearly all civil federal agencies 12 months to adopt an email security standard that prevents email fraud. In data as recent as Monday, 2 sets of researchers show that between a quarter and a half of those agencies' web domains failed to meet the Tuesday deadline.

Why it matters: Email was not designed to check whether a message claiming to be from an email address actually came from that address, and that's a big gap. Just imagine how much chaos an attacker could cause by sending fraudulent emails messages from "evacuation-warnings@EPA.gov." When properly set up, DMARC plugs that security hole.

Details: DMARC (formally Domain-based Message Authentication, Reporting and Conformance) lets email programs check if a server sent a message. If not, DMARC can instruct it to reject the message, send the message to spam or do nothing out of the ordinary.

  • "It's a common sense security measure, and it makes no sense to allow criminals to send fake emails," said Patrick Peterson, executive chairman and founder of email security firm Agari.

Homeland Security gave agencies until Tuesday to implement the reject option.

  • Intelligence and defense agencies were exempt and, according to a study by the security advocacy group the Global Cyber Alliance and Agari, almost entirely did not comply.

By the numbers: Of 1315 federal web domains checked Monday morning, email security company ValiMail determined only 57% had met the federal mandate. In the more formal study by the Global Cyber Alliance and Agari, a different sample of 1144 sites found that 74% had complied. That leaves between 26% and 43% that have not.

  • Agari found more distinct sites that met the mandate and VailMail found more distinct sites that didn't. Based on those findings, at least 851 comply with the mandate and at least 564 did not.

Some extremely big-name agencies fall far short on DMARC, according to the Global Cyber Alliance / Agari study.

  • 13 out of 25 —more than half — of the tested domains run by the Executive Office of The President (colloquially known as the White House) had not implemented DMARC. Another 3 of the domains implemented DMARC without setting it to reject email.
  • Just under half of the Department of Commerce domains (25 out of 52) had not implemented DMARC.
  • Amtrak's lone domain had not implemented it, either.

ValiMail CEO Alex Garcia-Tobar notes that the results of his group’s work are encouraging and disappointing at the same time.

  • "The government has made amazing progress — going from 4% last year to over 50% this year. I've never seen them work this quickly on a security project," he said.
  • On the other hand, the unimplemented systems could be a real problem, Garcia-Tobar said. "Anything less than 100%, agencies are wide open to impersonation."

Don't forget: Not all compliant domains are created equal. Valimail found the compliance rate was, for example, much higher in domains that did not send out emails than in the ones that did.

  • "It’s much harder to put rules in place for domains that send emails than ones that don't," said Garcia-Tobar.

Go deeper

House passes sweeping election and anti-corruption bill

Photo: Win McNamee via Getty Images

The House voted 220-210Wednesday to pass Democrats' expansive election and anti-corruption bill.

Why it matters: Expanding voting access has been a top priority for Democrats for years, but the House passage of the For the People Act (H.R. 1) comes as states across the country consider legislation to rollback voting access in the aftermath of former President Trump's loss.

Updated 4 hours ago - Politics & Policy

House passes George Floyd Justice in Policing Act

Photo: Stephen Maturen via Getty Images

The House voted 220 to 212 on Wednesday evening to pass a policing bill named for George Floyd, the Black man whose death in Minneapolis last year led to nationwide protests against police brutality and racial injustice.

Why it matters: The legislation overhauls qualified immunity for police officers, bans chokeholds at the federal level, prohibits no-knock warrants in federal drug cases and outlaws racial profiling.

6 hours ago - Politics & Policy

Senate Republicans plan to exact pain before COVID relief vote

Sen. Ron Johnson. Photo: Stefani Reynolds/Bloomberg via Getty Images

Republicans are demanding a full, 600-page bill reading — and painful, multi-hour "vote-a-rama" — as Democrats forge ahead with their plan to pass President Biden's $1.9 trillion COVID-19 relief package.

Why it matters: The procedural war is aimed at forcing Democrats to defend several parts the GOP considers unnecessary and partisan. While the process won't substantially impact the final version of the mammoth bill, it'll provide plenty of ammunition for future campaign messaging.

You’ve caught up. Now what?

Sign up for Mike Allen’s daily Axios AM and PM newsletters to get smarter, faster on the news that matters.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!