X

Homeland Security tells federal agencies to secure email -- now

They've got 90 days to roll out an email validation system that should help protect against spoofed emails and phishing attacks.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read
outlookpromo.jpg

Microsoft's Outlook uses DMARC, an email authentication method that prevents spoofing. Now the federal government will, too.

Josh Miller/CNET

How do you know if that email from the IRS is really from the federal agency? It's not always easy to tell if something you get from a .gov address is the real deal or a scam.

But the Department of Homeland Security on Monday announced a move that should help put an end to impostor emails. All federal agencies have been given 90 days to implement DMARC, a basic email security feature that prevents spoofing.

"You got a lot of people trying to trick people into thinking they're from the IRS, or vice versa, trying to get into US government systems via phishing attacks," Jeanette Manfra, an assistant secretary in the agency's office of cybersecurity and communication, said Monday while announcing the order at the Manhattan District Attorney's office.

DMARC, which stands for "Domain-based Message Authentication, Reporting and Conformance," is used by the majority of consumer email systems, like Gmail, Outlook and Yahoo. But DMARC has a harder time finding its way to government email addresses, where people could pretend to be from a senator's office or a government agency as part of a scam.

In July, Sen. Ron Wyden, a Democrat from Oregon, penned a letter (PDF) to Manfra requesting that federal agencies be required to implement DMARC. That was after hackers reportedly used spoofed emails in May pretending they were part of the Pentagon. And the IRS reported a four-fold jump in spoofing attacks in 2016 from 2015.

Under the new requirements, DMARC would be able to stop these impersonation attacks, Manfra said.

The DHS is also requiring all federal agencies to update their websites to use HTTPS, a secured version of web pages that prevents snoops from seeing your traffic online. About half of the websites online use HTTPS, but about a quarter of all federal government sites still don't

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

iHate: CNET looks at how intolerance is taking over the internet.