|
|
|
|
|
|
by csharpminor
1013 days ago
|
|
|
I completely agree. As an aside, for .gov domains, the DMARC offenders are primarily at the state, county, and local level. I would personally be in favor of extending CISA’s DMARC requirements to anyone with a .gov domain (and revoking domains that are non-compliant). Another misconception among many CIO/CISOs is that securing your individual subdomain with DMARC is enough. For example, dmv.ca.gov might have DMARC on its subdomain but not on the root, allowing a scammer to make up their own subdomain like “vehicles.ca.gov” and scam people into paying for fake vehicle registration. Of course there are other mechanisms inbox providers use to protect recipients, but without a DMARC policy on the root domain the door is left open. This is especially prevalent at the state level where no one wants to own DMARC centrally. |
|
|
This has been my experience as well. Likely due to their systems being managed by lowest-bidder MSPs.
Someone once shared their own analysis of each state's configuration a few years ago:
https://old.reddit.com/r/sysadmin/comments/cawch1/united_sta...
I wonder how it looks today.