DMARC Policies for Whitehouse.gov Make Spoofing Emails Easier

DMARC Policies for Whitehouse.gov Make Spoofing Emails Easier

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email-validation system designed to detect and prevent email spoofing. It is intended to combat certain techniques often used in phishing and email spam, such as emails with forged sender addresses that appear to originate from legitimate organizations.

Federal executive branch departments and agencies have until October 16 to configure a policy-based email domain validation system configured with the strongest setting. Most domains already comply with the mandatory requirement but whitehouse.gov is not yet among them.

The requirement is part of the Binding Operational Directive 18-01 issued last year by the US Department of Homeland Security (DHS) that seeks to improve email and web security by gradually deploying standards widely adopted by the industry.

DHS wants all the email servers of second-level agency domains to add support for the STARTTLS protocol that encrypts messages in transit and enable the Domain-based Message Authentication, Reporting and Conformance (DMARC) system to combat phishing and spam emails.

 

 

DMARC

 

 

Brief overview of DMARC

DMARC is an authentication, policy and reporting protocol that allows senders and receivers to share their email information and validate the messages.

It is built on the Sender Policy Framework (SPF) and  DomainKeys Identified Mail (DKIM) mechanisms, which can verify the legitimacy of a message’s origin.

DMARC allows a domain owner to publish a policy that tells the receiver of an email what to do with the message if it does not pass validation.

The policy used by a domain owner is configured with the “p=” directive. A domain owner can choose between  ‘p=none,’ ‘p=quarantine’, or ‘p=reject’ if they want no action taken on the message, move it to an isolated folder (such as Junk), or have the receiver reject all emails that fail the DMARC check.

 

DomainKeys

 

 

Hundreds of .gov domains already comply

DHS gave a deadline of one year for all 1,144 domains impacted by the directive to add valid DMARC records configured with the ‘p=reject’ policy.

According to the latest report from Agari email security company,DMARC adoption rate as of September 14 was at 83% among .gov domains, regardless of the policy implemented.

The number drops to 64% for executive branch domains that already run with the ‘p=reject’ policy. This translates to 727 domains.

 

DHS

 

 

The White House needs a DMARC fix

The official website of the White House has a DMARC record set for ‘p=none,’ which is of no help to the receiver because it allows all emails, forged or not, to reach their inbox.

“A “p=none” policy means that the Domain Owner is not asking the Receiver to take action if a DMARC check fails,” reads the official DMARC FAQ page.

Other defense methods can still protect the receiver from fraudulent emails, including spam filters, IP reputation, or SPF and DKIM mechanisms. but with p=none being implemented, an extra barrier is eliminated.

With a properly configured record, the domain owner will have greater visibility into what email is sent under their domain’s name, alerting them of the abusive activity.

This is not possible, though, in the case of the White House domain. The lookup tool at MXToolsbox shows that the DMARC record is invalid, just like the email address required for receiving the reports.

 

 

White House

 

 

DHS domain not fully compliant

The DHS binding directive is clear about the deadline, the DMARC policy to be set, and the percentage of messages the filtering should apply to.

DHS.gov has a correct DMARC syntax but the policy is currently set to ‘quarantine.’ Also, the message filtering value is set to 50%.

Two examples to follow are the domain names of the FBI and of the Federal Reserve Bank, whose DNS records contain the DMARC policy set to ‘reject,’ and a value of 100% for message filtering.

 

 

syntax

 

 

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Internet Of Things Training

Data Analysis

Internet Of Things Training Hyderabad

Internet Of Things Training in Bhubaneswar

Internet Of Things Training in Bangalore

Embedded System Training

Digital Marketing Training

Machine Learning Training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Web Penetration Testing Company in Bangalore

Network Penetration Testing – NPT

Network Penetration Testing Service in Bangalore

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad

 


Show Buttons
Hide Buttons