Connect with us

Hi, what are you looking for?


Email Security

Many Federal Agencies Fail to Meet DMARC Implementation Deadline

The U.S. Department of Homeland Security (DHS) last year ordered government organizations to secure their email and web assets, but many agencies have failed to meet the deadline.

The U.S. Department of Homeland Security (DHS) last year ordered government organizations to secure their email and web assets, but many agencies have failed to meet the deadline.

The Binding Operational Directive (BOD) 18-01, issued by the DHS on October 16, 2017, instructs federal agencies to start using web and email security technologies such as HTTPS, STARTTLS, SPF and DMARC. Agencies were given one year to set their DMARC policy to “reject,” which completely blocks the delivery of unauthenticated emails.

Several cybersecurity firms have been monitoring the progress, including Agari, Valimail and Proofpoint. They all found that while significant progress has been made, there are still many agencies that are not compliant one year after the directive was issued.

Agari has been monitoring 1,144 domains and found that 851 of them, representing 74%, have implemented DMARC with a “reject” policy as dictated by BOD 18-01. The company also pointed out that of the 278 domains with no policy or a “none” policy, only 28 are defensive domains (i.e. they don’t actively send email).

There are 46 executive branch agencies that have fully implemented DMARC, and 57 that either have no DMARC record or still have a “none” policy. A majority of the organizations that failed to become compliant only have one or two domains, Agari said.

“BOD 18-01 has clearly made a positive impact on the cybersecurity posture of the United States government,” commented Agari’s Fareed Bukhari. “It’s really great to see such a dramatic increase in adoption in such a short time frame. This is the fastest and most complete adoption of the DMARC standard for any industry in history. Private enterprise is definitely lagging behind the public sector now.”

Proofpoint has monitored 1,311 domains, including federal civilian domains, and its analysis also took into account the implementation of the Sender Policy Framework (SPF), which along with DomainKeys Identified Mail (DKIM) forms the foundation of DMARC. BOD 18-01 also requires the implementation of SPF.

Advertisement. Scroll to continue reading.

Data collected by Proofpoint shows that over 60% of .gov domains are compliant with the BOD. Of all the organizations, 56% have implemented DMARC themselves and 21% have contracted the services of specialized providers.

BOD 18-01 deadline

“While not every agency is DMARC compliant with BOD 18-01 at the deadline, the progress made over the past year is commendable. Ideally, we will continue to see this positive trend until each agency fully protects their domains from email spoofing attacks. And while it is nice to see other industry groups taking a similar stance with DMARC authentication, BOD 18-01 has been a promising step in the right direction that organizations in all industries should follow,” explained Robert Holmes, vice president of Email Security at Proofpoint.

Valimail, which published its report one week before the deadline, noted that half of the 1,315 .gov domains it was monitoring had been compliant with BOD 18-01.

The company pointed out that 63 percent of compliant domains were not actually used for email. It also noted that DMARC records are not present on a vast majority of military domains, but these are not covered by the DHS directive, which exempts the Department of Defense, the intelligence community and national security systems.

Related: DMARC in Higher Education – A Formidable Defense Against Targeted Scams

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem