Recently the CDC found itself in the awkward position of advising the public on email fraud and phishing. The reason: COVID contact tracing efforts have been thwarted by fraudulent email from professional phishing groups. Email phishing and email delivery are a systemic problem for governments and businesses alike.
As more federal, state and local agencies move online they generate more email to their constituents and users. Whether you are receiving confirmation on your recent driver’s license renewal or setting up a meeting about property taxes, ensuring the email reaches your inbox is a major concern. Unfortunately, the majority of American governmental agencies are poorly positioned to deliver email.
Blacklisting
Inbox providers use blacklists to filter incoming email. Email from IP addresses of a blacklist or containing Domain names on blacklists will be blocked or thrown into the Spam or Junk folders.
Unfortunately, on average 3.3% of government domains are blacklisted, meaning that their email is in jeopardy of being blocked.
| Agency | Blacklist % |
| City | 3.8% |
| County | 3.8% |
| Federal Agency – Executive | 1.1% |
| Federal Agency – Judicial | 0.0% |
| Federal Agency – Legislative | 4.4% |
| State | 3.3% |
City, County and State governments represent the majority of government domains and the highest percentage of blacklisted agencies, excluding the Legislative branch of the Federal government. This puts email correspondence with these smaller agencies in jeopardy.
SPF
SPF is a technology that allows a domain to designate a list of IP addresses or domains as legitimate senders on behalf of that domain. For example, your company could use MailChimps or SalesForce to send email to marketing and sales customers. SPF allows you to designate those two companies as valid senders and only these domains. Anyone else trying to send email using your domain would fail the SPF checks that inbox providers run on incoming email. A failed SPF check means that the email may be blocked or dumped to the Spam or Junk folders.
| Agency Type | % SPF |
| City | 72.7% |
| County | 70.1% |
| Federal Agency – Executive | 93.9% |
| Federal Agency – Judicial | 73.9% |
| Federal Agency – Legislative | 22.8% |
| State | 40.1% |
MxToolbox’s survey clearly shows that State and Legislative Agencies are failing to adequately use SPF to protect their email delivery. While City and County agencies fare slightly better, SPF adoption is required to get email to the inbox. Without SPF, anyone can attempt to send email that appears to come from a government agency, creating the potential for fraud and phishing using that agency’s domain name.
The lone bright spot in our survey is the Executive Branch of Federal government. The nearly 94% adoption of SPF reflects the Department of Homeland Security’s requirement to fully adopt DMARC by October of 2018 (SPF is a key component of DMARC). While some departments are behind, the DHS directive has definitely been successful. All US agencies need to make adopting SPF, and DMARC a priority to improve email delivery and protect their recipients from fraud and phishing using government domains.
DMARC
DMARC is a standard that allows a domain owner to do several things:
- Assign email addresses to be used for feedback from inbox providers regarding SPF, DKIM and DMARC compliance.
- Assign email addresses to be used for forensic samples of emails that fail SPF, DKIM or DMARC compliance.
- Set a Policy for how Inbox Providers should handle email from the domain that fails SPF, DKIM or DMARC compliance. Policy options are:
- None – Do nothing
- Quarantine – Set the email aside in a Quarantine type folder. Sometimes this is a Spam or Junk folder, sometimes this gets placed in a Quarantine spot the administrator can examine.
- Reject – Dump the email to trash. A reject policy is required by the Department of Homeland Security and to use the BIMI image standard.
- Specify a % of email to obey the Policy. The rest will be treated as in a None policy.
| Policy as a % of DMARC | % ofDomains | ||||
| Agency Type | % DMARC | None | Quarantine | Reject | Reject |
| City | 13.1% | 56.6% | 24.5% | 13.8% | 1.8% |
| County | 20.7% | 52.8% | 25.8% | 19.7% | 4.1% |
| Federal Agency – Executive | 90.4% | 2.8% | 1.4% | 93.6% | 84.6% |
| Federal Agency – Judicial | 17.4% | 50.0% | 25.0% | 25.0% | 4.3% |
| Federal Agency – Legislative | 13.2% | 40.0% | 13.3% | 46.7% | 6.1% |
| State | 12.0% | 57.4% | 14.0% | 24.0% | 2.9% |
The Executive Branch with 90% DMARC adoption is well out in the lead, again owing to Department of Homeland Security requirements. Unfortunately, all other agencies are dangerously behind, risking their email deliverability. In our recent case studies, we found that improving DMARC compliance can dramatically improve email open rates and click through rates. If government agencies want to connect with constituents, they need to adopt DMARC as soon as possible.
Fraud and Phishing Protection
Ultimately, to protect your recipients from Fraud and Phishing using your domain, you need to adopt a strict Reject DMARC policy. A Reject policy tells the inbox provider to completely reject email that does not pass SPF, DKIM and DMARC checks. Unless they gain access to your servers or the servers of your legitimate senders, fraudsters’ emails will be blocked by a DMARC Reject policy. While getting to a DMARC Reject policy requires careful management and attention to prevent legitimate email from being blocked, the benefit of protecting your email, your brand and your customers outweighs the complexity and cost.
Taken as a whole, Government agencies are woefully inadequate in their support for DMARC reject policies and guarding their email from fraud and phishing. Particularly troubling are the state, county and city governments with low single digit support. Government agencies need to be a trusted source of information. Unfortunately, with their current DMARC configurations, the domains of government agencies are at tremendous risk of being used in fraud and phishing attacks.
How can you or governments adopt DMARC?
Any domain owner must adopt SPF and DMARC immediately. When adopting DMARC, it pays to invest in an email delivery management platform that can help you analyze your email senders, manage the quality of your senders and help you obtain a DMARC Reject policy that does not limit legitimate email. Without analyzing the SPF, DKIM and DMARC compliance of your email, both legitimate and fraudulent, you will not be able to protect your email deliverability.
MxToolbox Delivery Center
To maintain the highest levels of email deliverability, businesses like yours need a proven Email Delivery management system like MxToolbox Delivery Center. Delivery Center provides you with valuable insight into your email delivery posture and the ongoing maintenance necessary to maintain peak performance:
- Manage SPF, DKIM, and DMARC (and BIMI) to improve compliance and reduce the threat of fraud and phishing using your domain.
- Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
- Implement Feedback Loops to gain unique information on how your recipients view your emails and when they mark you as spam.
- Gradually move your DMARC policy to Reject to enable better inbox placement opportunities.
- Manage the on-going requirements of maintaining high levels of email deliverability