In an attempt to make email more secure, the U.S. Department of Homeland Security just announced it will now require federal agencies to adhere to two security protocols: DMARC and STARTTLS. These measures should make it harder for hackers to intercept emails or impersonate government officials via email.
In particular, DMARC—which stands for Domain-based Message Authentication, Reporting and Conformance—can detect spoofed emails and stop them from being sent when it’s clear someone is trying to impersonate a federal agency. The point of DMARC is to make it harder for hackers to implement email phishing scams, because they can now only use unprotected domain names.
On the other hand, STARTTLS is an encryption protocol that protects email as it travels from one server to another, making it harder for hackers to intercept it. Together, STARTTLS and DMARC can help reduce the odds of individuals getting emails that look like they were legitimately sent from the White House—but were really sent by hackers who are phishing through email.
Government agencies are required to start using these two email protocols within 90 days. However, some private companies have been using them for years. For example, Uber, Apple, Facebook, LinkedIn, and Amazon already use DMARC.
So it’s kind of surprising that use of these security protocols is just now required of government agencies. In fact, less than 10 percent of federal domains use DMARC, with the Social Security Administration and the Federal Trade Commission being two of them. Even the agency in charge of the Pentagon’s email just recently began using STARTTLS a few months ago.
The small number of federal agencies using the right email security protocols was worrisome enough that one Democratic Senator—Ron Wyden—sent a letter to the Department of Homeland Security. In the letter, he asked the government to require federal agencies to start using DMARC so they could avoid allowing phishing scams to continue unchecked. He pointed out that the technology does exist, yet it’s mostly private companies using it, not federal agencies.
Considering the fact that the IRS alone saw a 400 percent increase in cyber criminals impersonating the agency in an attempt to get money from email recipients, the required use of better email security protocols is long overdue. Hopefully the directive will help reduce the number of phishing emails that hackers have been sending to people over the years while pretending to be government agencies.
- How to Create More Meaningful Connections in a Remote World - March 16, 2021
- Building a High Performing Engineering Team: What’s the Secret Sauce - February 1, 2021
- MarTech Role Finally Recognized as a Real Job - April 2, 2019