DMARC has been fully implemented on roughly two thirds of U.S. government domains, but agencies have less than a month to roll out the email security standard on the remaining websites.
The Binding Operational Directive (BOD) 18-01, issued by the DHS in October 2017, instructs all federal agencies to start using web and email security technologies such as HTTPS, STARTTLS, SPF and DMARC.
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication, policy, and reporting protocol designed to detect and prevent email spoofing. Organizations can set the DMARC policy to “none” to only monitor unauthenticated emails, “quarantine” to send them to the spam or junk folder, or “reject” to completely block their delivery.
The DHS has instructed federal agencies to fully implement DMARC (i.e. set their DMARC policy to “reject”) on all .gov domains by October 16, 2018.
Email threat protection company Agari has been monitoring progress and, according to its latest report, as of September 14, DMARC had been fully implemented on 64% of 1,144 domains. DMARC has been rolled out with at least a “none” policy on 83% of domains.
“This is significantly better adoption than the commercial sector, where two-thirds (67%) of the Fortune 500 have not published any DMARC policy,” Agari said in its report.
The government organizations that have implemented a “reject” policy on less than half of their domains include the Consumer Financial Protection Bureau, the Department of Commerce, the Department of Energy, and the Executive Office of the President.
The security firm pointed out that of the 417 executive branch domains that have not implemented a “reject” policy, 89% are actively sending emails, which could hamper compliance efforts.
“With less than one month until the final BOD 18-01 deadline, the U.S. Government has made tremendous strides forward in its DMARC adoption and compliance efforts. Most federal agencies and the citizens they serve are now realizing the benefits of DMARC,” Agari said. “Executive branch agencies such as the Department of Health and Human Services have implemented a ‘p=reject’ policy across hundreds of domains to automatically block phishing email attacks and prevent domain spoofing. Yet hundreds of other federal domains still remain vulnerable to these attacks.”
Proofpoint has also recently published a report on DMARC adoption and compliance with BOD 18-01, but the company also took into account the implementation of the Sender Policy Framework (SPF), which along with DomainKeys Identified Mail (DKIM) forms the foundation of DMARC. Proofpoint analyzed the full set of federal civilian domains provided by the federal government, which includes 200 additional domains compared to what Agari has been monitoring.
Data from Proofpoint shows that nearly 52% of all domains have both a valid SPF record and the DMARC policy set to “reject.” However, only 34 of the 133 agencies under the BOD mandate, representing roughly 24%, were fully compliant at the time of the study.
Related: DMARC in Higher Education – A Formidable Defense Against Targeted Scams

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
Latest News
- Russia-Linked APT29 Uses New Malware in Embassy Attacks
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
