Home Governance DHS issues directive for federal agencies to use DMARC, HTTPS, and STARTTL

DHS issues directive for federal agencies to use DMARC, HTTPS, and STARTTL


In an attempt to secure emails and deploy authentication technologies, the U.S. Department of Homeland Security (DHS) on October 16, 2017, issued a binding operational directive requiring all federal agencies to use DMARC, HTTPS, and STARTTLS.

Domain-based Message Authentication, Reporting & Conformance (DMARC) is a security protocol, which is designed to prevent phishing and spamming attacks. All federal agencies have been instructed to implement this domain within one month.

DMARC has three categories of filtering content: monitoring email for phishing and spam, quarantining emails that fall into this category, and deleting such emails. It creates a whitelist of verified senders, then it delivers only authenticated emails and deletes fake ones before a user sees them. It also restricts the ability for company employees to send out unauthorized email campaigns.

During a joint press conference with the Global Cyber Alliance, Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications at the DHS said “over the coming year, the DHS aims to have 100% of federal agencies rejecting phishing and spam emails”.

“Citizens who depend upon interaction with the government deserve a trusted relationship. So, if they see an email from the IRS or FEMA, they need to believe and trust it is an email from the IRS or FEMA,” Manfra said.

Within coming four months, all federal agencies have to mandatorily use encryption on their websites via HTTPS and STARTTLS for email. Tech giants such as Microsoft, Google and Yahoo are already supporting DMARC email services.

Seventy-six percent of global email accounts or 4.8 billion inboxes worldwide support DMARC, DHS and industry report said. Federal agencies and enterprise companies are far from the 50% DMARC level, the report added.

According to an analysis of DNS records by Agari, two-thirds of Fortune 500 companies have not deployed any level of DMARC. 25 percent of survey respondents chose to only monitor email, 3 percent have a quarantine policy, and 5 percent have implemented a reject policy, Agari report revealed.

Patrick Peterson, Agari’s founder and executive chairman said “this mandate will reduce risk for the enterprise as many phishing and malware attacks impersonate government agencies such as recent threats highlighting SEC and IRS spoofing. This leadership from DHS also sets a clear message that DMARC is valuable and should be implemented at scale which will drive enterprise awareness and adoption”.

A 2016 report by Valimail found out that 62 percent to 80 percent of DMARC efforts failed. The reason behind the delay on DMARC deployment was cited as reluctance to change back-end email systems, which have complex DNS tables.

Peter Goldstein, chief technology officer and co-founder of ValiMail said “you have to get to enforcement to get real value out of DMARC. At enforcement, receiving mail servers are instructed to quarantine (flag as spam) or delete messages that fail authentication. But getting there requires authenticating all of an organization’s legitimate senders — both internal and cloud services sending on their behalf”.

Industry experts said the protocol’s low adoption rate may be due to lack of education by users, as well as hesitation to try a new technology.

However, Shehzad Mirza, Global Cyber Alliance (GCA) director of global operations said “organization has a relatively easy DMARC setup guide on its website”, while adding “anyone with an email domain, small businesses, large businesses, should be using it.”