How to Comply with Binding Operational Directive 18-01


On October 16 2017, the Department of Homeland Security (DHS) issued Binding Operational Directive 18-01 (BOD 18-01) to “federal, executive branch, departments and agencies.”

Among the measures mandated, BOD 18-01 requires that federal government agencies update their email security to adopt security standards widely used across industries: STARTTLS, SPF, DKIM and DMARC.

DMARC protects citizens and agencies from email threats. It stops cyber criminals from using phishing campaigns to exploit citizens and stops scammers from committing fraud by impersonating government agencies.

By January 14, 2018 organizations must have a DMARC record in place, and within one year organizations must have a DMARC policy set to reject. This is a very aggressive timeline, especially if a government organization has any level of complexity in their domains, email processes and technology.

If you are still working to implement DMARC and submit an Agency Plan of Action to DHS, leverage our Guide to Creating an Effective Plan of Action and our Agency Plan of Action Template.

Move from Cyber Security Whack-a-Mole to DMARC

Take One Step to Solve One Real Problem &

Change the Global Ecosystem 

Jeanette Manfra, DHS Assistant Secretary for the Office of Cybersecurity and Communications (CS&C) explains that DMARC gives Government agencies a tool to secure their email channel, so cyber criminals can’t use Government Agency domains to send malicious emails to citizens.

What is DMARC?

Without a strong DMARC policy, the From: address of an email message can easily be spoofed. Cyber criminals exploit the fact that 37% of Federal Government agencies do not have a DMARC record in place by sending billions of forged emails per year. BOD 18-01 aims to stop this.

DMARC is an open email standard created by the industry consortium, of which Agari is a founding member. DMARC stands for Domain-based Message Authentication, Reporting, & Conformance.  It works in conjunction with well-known email standards SPF and DKIM, and is the only way for email senders to tell email receivers that emails they are sending are truly from them.

Organizations who have DMARC in place see a 75% drop in email volume once they move to a DMARC policy of p=reject because attackers give up and move on.

On Demand Webinar: DHS, HHS & GCA Bring Clarity to DMARC Implementation


Watch the Webinar

How to meet BOD 18-01

Implementing DMARC and moving to p=reject

The first step – creating a DMARC record with a p=none policy – is simple; however, anything less than a quarantine or reject policy leaves the doors open to scammers.

As a founding member of the DMARC consortium, Agari understands that email ties directly to your agency’s key business processes and can be complex. Agari processes 90% of the DMARC traffic and is used by 94% of Federal domains that have a DMARC record. We know what challenges you should look out for and the critical path to move your agency to reject.

Agari email experts are here to advise and advocate for your agency. We have the technology solutions and experience to ensure that you find value and success in meeting BOD 18-01 and adopting DMARC.

The Solution – Agari Enterprise Protect

Agari Enterprise Protect is used by leading Fortune 1000 companies to proactively protect their enterprises and employees from costly BEC attacks that result in financial damage and compromised employee personal information.

Unlike other solutions that attempt to detect malicious content or use basic authentication mechanisms, Enterprise Protect leverages comprehensive insight into sender identities. By applying expert systems and machine learning to develop and apply trust and authenticity models, it identifies, isolates and stops email attacks that rely on identity deception.

These models are driven by the Agari Email Trust Platform™, the only solution that verifies trusted email identities based on insight into 10 billion emails per day.

“The open standard called DMARC allows for email authentication to stop targeted spearfishing attacks and domain spoofing, and there are solutions out there that give you insight into what’s good and bad traffic.”

-Charlie Armstrong, Former CIO of U.S. Customs and Border Protection