Federal domain adoption of the DMARC email security scheme in the US increased 38% in 30 days, with 151 more domains now protected.
According to an analysis on its adoption by Agari, adoption is up from 34% of domains implementing DMARC on November 18 to 47% on December 18. This shows rapid adoption of the critical email authentication standard ahead of a January 15 deadline for the Department of Homeland Security (DHS) directive to do so. DHS announced Binding Operating Directive (BOD) 18-01 in October, which mandates that all federal domains implement DMARC, TLS and HTTPS to prevent domain name spoofing and to secure email communication.
“DMARC has proven to be an effective solution to secure our federal domains, but more work is needed to protect all federal domains. The time to act is now; deadlines to comply with [the operational directive] are imminent,” said Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications, DHS. “Cybersecurity is a critical component of our homeland security policy, but it is also a shared responsibility. It is crucial for US citizens to trust that an email from a government agency is legitimate.”
Agari research also shows the effectiveness of the DMARC security control across federal agencies. Of the billions of emails sent across the more than 400 federal government domains secured by Agari, 96% of the emails are protected by the strongest DMARC policy (p=reject), including those in the US Senate, Veterans Affairs, Health and Human Services and the US Post Office. All of these have seen attempted fraud send rates decrease to less than 2% in December, Agari said.
“This research shows that DMARC does more than protect federal domains, it protects all of us—even our mothers and fathers—from billions of phishing emails every day,” said Patrick Peterson, founder and executive chairman, Agari. “The increase in adoption is a smashing early success. We hope that all agencies will follow Agari’s federal agency clients, to comply with the directive and help eliminate phishing and spam related to domain spoofing and ensure a trusted digital channel for US citizens.”
Federal departments and agencies have 90 days to implement DMARC at its lowest setting (monitoring, P=none) and one year to implement DMARC at its highest setting (P=reject), which prevents unauthorized mail from being sent.
About half (53%) still have not deployed DMARC, just ahead of the first DHS deadline.