Federal executive branch departments and agencies have until October 16 to configure a policy-based email domain validation system configured with the strongest setting. Most domains already comply with the mandatory requirement but whitehouse.gov is not yet among them.
The requirement is part of the Binding Operational Directive 18-01 issued last year by the US Department of Homeland Security (DHS) that seeks to improve email and web security by gradually deploying standards widely adopted by the industry.
DHS wants all the email servers of second-level agency domains to add support for the STARTTLS protocol that encrypts messages in transit and enable the Domain-based Message Authentication, Reporting and Conformance (DMARC) system to combat phishing and spam emails.
DMARC is an authentication, policy and reporting protocol that allows senders and receivers to share their email information and validate the messages.
DMARC allows a domain owner to publish a policy that tells the receiver of an email what to do with the message if it does not pass validation.
The policy used by a domain owner is configured with the "p=" directive. A domain owner can choose between 'p=none,' 'p=quarantine', or 'p=reject' if they want no action taken on the message, move it to an isolated folder (such as Junk), or have the receiver reject all emails that fail the DMARC check.
DHS gave a deadline of one year for all 1,144 domains impacted by the directive to add valid DMARC records configured with the 'p=reject' policy.
According to the latest report from Agari email security company,DMARC adoption rate as of September 14 was at 83% among .gov domains, regardless of the policy implemented.
The number drops to 64% for executive branch domains that already run with the 'p=reject' policy. This translates to 727 domains.
The official website of the White House has a DMARC record set for 'p=none,' which is of no help to the receiver because it allows all emails, forged or not, to reach their inbox.
"A “p=none” policy means that the Domain Owner is not asking the Receiver to take action if a DMARC check fails," reads the official DMARC FAQ page.
Other defense methods can still protect the receiver from fraudulent emails, including spam filters, IP reputation, or SPF and DKIM mechanisms. but with p=none being implemented, an extra barrier is eliminated.
With a properly configured record, the domain owner will have greater visibility into what email is sent under their domain's name, alerting them of the abusive activity.
This is not possible, though, in the case of the White House domain. The lookup tool at MXToolsbox shows that the DMARC record is invalid, just like the email address required for receiving the reports.
The DHS binding directive is clear about the deadline, the DMARC policy to be set, and the percentage of messages the filtering should apply to.
DHS.gov has a correct DMARC syntax but the policy is currently set to 'quarantine.' Also, the message filtering value is set to 50%.