Why is the US government lagging behind the UK on DMARC anti-spoofing?

News by Davey Winder

The US government has been criticised by a senator for failing to implement DMARC, a proven tool for curtailing the abuse of email domains by spammers and spoofers.

As Democratic Senator Ron Wyden continues to press the US Department of Homeland Security (DHS) to adopt a simple fix that would provide protection against phishing and other email-based fraud, SC Media wonders why more organisations haven't discovered DMARC?

UK government agencies have been rolling out Domain-based Message Authentication, Reporting & Conformance (DMARC) for more than a year now. Indeed, SC Media UK gave Ed Tucker from HMRC the best CISO award for his role in helping to eliminate spoofed tax emails purporting to be from HMRC using the DMARC protocol.

DMARC simply determines those servers that are authorised to send messages on behalf of an organisation, and any that fail its checks by spoofing an @hmrc.gov.co.uk address don't get delivered.

How successful has this been? Well HMRC reckon the number of spoofed emails has dropped from 500 million before the introduction of DMARC, to less than 200 million now. OK, so it's not a cure-all, but it sure is a security tonic.

The Cabinet Office Government Digital Services (GDS) mandated for compulsory DMARC adoption by all .gov address by October 2016. So what's holding the US government back, and other businesses on this side of the pond for that matter? SC Media has been investigating.

Let's start with the DHS issue, and why it is dragging its feet on this? Lee Munson, security researcher at Comparitech says that "given the nature of alleged advanced US cyber operations, not to mention the information-gathering capabilities of its own NSA, it seems remarkable that high profile agencies, such as the DHS, are seemingly incapable of getting the basics right".

Graeme Park, senior consultant at Mason Advisory, thinks it is unlikely to be a technical issue as there's no commentary from DHS representatives to suggest that. "More likely that this work is part of a wider security road map," Park explains, "either scheduled, unfunded or not a high priority compared with other projects."

And for those enterprises that have not implemented DMARC in the UK? Implementing DMARC would seem to be a win-win for those organisations that do it, but is there something we are missing that is holding back roll out?

Rahul Powar, CEO and founder of OnDMARC, told SC, "Most organisations don't really understand DMARC and the related email security protocols SPF & DKIM.  A lack of knowledge can cause confusion or give organisations the feeling that their existing measures in some way provide the same protections. The truth is that there is no equivalency but businesses need to be educated."

Watchguard Technologies CTO, Corey Nachreiner, agrees that lack of awareness is certainly an issue. However, he also points out, "There are some valid use cases where implementing DMARC could initially break things and require more complex configurations. Since email is such a core part of businesses, I suspect many are nervous about making a change that might inadvertently affect delivery."

We will leave the last words with one of the founding members of DMARC, Patrick Peterson, who told SC: "There needs to be a more concerted effort from the entire security industry to raise awareness with the key decision makers in both the public sector and at private enterprises on how effective DMARC is in blocking fraudulent emails, and how they can go about implementing it at their organisation."

Unfortunately, as is often the way with security, he said: "We often find organisations only start to consider DMARC and other identity-based defences after they've already been the victim of an attack..."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews