Top Federal IT Contractors Leave Emails Vulnerable to Phishing, Spoofing

As Federal Agencies Work to Add DMARC Protections, Largest Government Contractors Have Work to Do

Washington, DC – Only one of the largest federal contractors have fully implemented the top defense against email phishing and spoofing, according to research released today by the Global Cyber Alliance (GCA). In an examination of the top 50 information technology (IT) contractors to the United States government, GCA found that only one contractor is using email-validation security – the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol – at its highest level.

DMARC weeds out fake emails (known as direct domain spoofing) deployed by spammers and phishers targeting the inboxes of workers in all sectors of society.  According to the 2017 Symantec ISTR report, 1 in 131 emails contained malware, the highest rate in 5 years.

Late last year, the Department of Homeland Security mandated that all federal agencies implement DMARC. Security experts praised DHS and Senator Ron Wyden, who called for agencies to implement DMARC, for pushing government agencies to quickly implement DMARC at the highest level possible. Contractors’ failure to follow suit could make them more enticing to threat actors looking for new ways to access government information.

“Threat actors don’t quit when they see an obstacle; they simply look for another way in,” said Philip Reitinger, president and CEO of the Global Cyber Alliance. “DMARC adds a layer of protection for email, and we applaud DHS’s move to ensure implementation of DMARC for federal agencies. Government contractors should also shore up their defenses and adopt DMARC to protect their government and other clients with whom they exchange email. We know that the vast majority of attacks start with a phishing email. DMARC should be an operational standard to reduce risk.”

Using GCA’s DMARC tools, the researchers determined how far organizations were in implementing DMARC. More than half of the contractors reviewed had not yet implemented DMARC at all.

DMARC CountEffect at this level of implementation
Domains Tested50(The email domains of the 50 largest government contractors in 2017 according to Washington Technology)
Reject1The highest level of DMARC protection. If reject is in place, incoming messages that fail authentication get blocked.
Quarantine1The second highest level of DMARC protection. With quarantine in place, emails that don’t meet the policy are sent to the spam or junk folder.
None21“None” means that a DMARC policy is in place but only monitoring is taking place. No action is being taken to block spoofed emails.
No Policy27“No policy” means that DMARC is not being used.*
Error*1One contractor appeared to have DMARC misconfigured.


The list of contractors identifies the largest government contractors in the IT and systems integration space according to their prime contracting dollars for fiscal year 2016.

“Threat actors are using email to go after organizations of all kinds and sizes,” Reitinger said. “Leaders in the U.S. and U.K.  are implementing DMARC because they understand the threat and the impact a well-designed phishing scam could have on a critical agency. The leading U.S. IT contractors should take similar steps to secure the government and citizens.”

GCA has published four reviews of DMARC implementation – two looking at organizations in cybersecurity, one looking at banks, and another examining public and private hospitals. The contractors’ results were the worst in any sector examined thus far. When Agari looked at Fortune 500 companies last August, they found 8 percent protected their companies’ domains with DMARC.

For more details about DMARC or to check if an organization is using DMARC, visit:

About the Global Cyber Alliance

The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to eradicating cyber risk and improving our connected world. We achieve our mission by uniting global communities, implementing concrete solutions, and measuring the effect. GCA, a 501(c)3, was founded in September 2015 by the Manhattan District Attorney’s Office, the City of London Police and the Center for Internet Security. Learn more at