Why DHS is telling all feds to implement DMARC email security

DHS' Assistant Secretary for Cybersecurity, Jeanette Manfra, gives the reasoning for DHS's latest order.
Jeanette Manfra
DHS Assistant Secretary for Cybersecurity Jeanette Manfra talks at CyberScoop's CyberTalks in 2017. (CyberScoop)

An email security program that the Department of Homeland Security has made mandatory for U.S. agencies will stop hackers, online scammers and spies from impersonating federal email addresses — and boy, is it ever needed.

It comes as new figures suggest that more than 1 in 4 emails from .gov addresses might be malicious criminal spam.

Domain-based Message Authentication, Reporting and Conformance (DMARC) is the industry standard measure to prevent the spoofing of emails — when hackers make their messages appear as if they come from trusted correspondents, explained DHS Assistant Secretary for Cybersecurity and Communications Jeanette Manfra.

“It’s a reasonable action that agencies can take; it’s in line with industry best practices; and it has broad, scalable impact across the whole [online] ecosystem,” Manfra told CyberScoop in an interview, outlining her rationale. “It was one of the first things we started work on” after she was appointed acting assistant secretary earlier this year.


Agari, a company which provides email security for 400 .gov email domains — including numerous “defensively registered” ones that don’t actually send email on behalf of government agencies at all — released figures this week showing that nearly 90 percent of them were spoofed. Overall, just over 25 percent of email claiming to come from those domains was malicious — mostly so called phishing emails appearing to a come from a trusted third party, but bearing a malicious attachment or directing readers to a website where login and password credentials can be stolen.

“DMARC allows authentication between the sender and receiver that this is legitimate traffic,” said Manfra. When both sender and receiver have DMARC implemented and fully switched on, “that keeps those phishing emails from even being delivered,” she added.

Government employees get a lot of phishing and spear-phishing (personalized phishing) email she said, so the move would protect government networks, as well as shielding citizens from scammers trying to impersonate federal agencies.

DMARC grew out of a 2007 effort by PayPal and Yahoo to stop rampant email phishing of PayPal users. They succeeded in leveraging two existing email security standards — Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) — to ensure that spoofed email would not be delivered.

A working group of email experts from many tech firms, financial institutions and e-commerce companies called the Messaging Operational Overlay Coalition Of the Willing, (MOOCOW) worked for five years to turn DMARC into a generalizable standard, according to a brief history published by Agari.


Three years later, in 2105, it was published by the Internet Engineering Task Force. Now, the vast majority of consumer email providers enable it, meaning if a sender has it activated, no spoofed email from that address will be delivered.

At a CyberTalks keynote Wednesday, Manfra used DMARC to make a broader point about the way cybersecurity works.

“DMARC only works if both sender and receiver have it,” she said, and “Security only works if we all do it,” because each party is only as strong as the weakest link.

“We are signaling that [DHS] is going to take the lead,” in security best practices, she added, urging industry to follow suit.

Initially, said Manfra, agencies would implement DMARC in a monitor-only mode called p=none, where information about senders is collected, but all email is delivered. When DMARC is fully switched on, it is set to p=quarantine, in which case unauthenticated email is delivered to a spam folder; or p=reject, in which case it is not delivered at all.


Agencies have a year to set p=reject “across all the relevant ways that the government sends email,” said Manfra.

She said she expected buy-in across agencies because CIOs and CISOs across the federal government had been engaged through the CIO and CISO council for about 60 days.

“It’s always a matter of priorities,” she said, “CIOs and CISOs are very busy.” Nonetheless they were “eager to see this happen,” in part because it would give CIOs a lever to use on their own management.

“It can assist them with their own prioritization efforts,” she said.


Latest Podcasts