Email Security Blog

Email Security and the New DHS Directive 18-01

Patrick Peterson December 18, 2017 DMARC, Government Secure Email
Fallback Featured Image

On October 16, 2017, the Department of Homeland Security (DHS) issued Binding Operational Directive 18-01 requiring all U.S. federal government agencies and departments to implement measures to enhance email and website security. Federal agencies have 30 days to submit an Agency Plan of Action (November 15), 90 days to deploy “monitor” mode (the lowest level) of Domain-based Message Authentication, Reporting and Conformance, or DMARC, and one year to implement the highest level of DMARC protection, or “reject,” which prevents delivery of spoofed malicious messages claiming to be government agencies.

This is a tremendous step forward for the federal government and our citizenry. For too long criminals and nation states have acted with impunity, impersonating the identity of trusted federal agencies to defraud our citizens or commit espionage. By mandating the prevention of spoofing government agencies, DHS will have raised the bar for all malicious actors in attacking us all.


Although the timeline to meet the requirements of BOD 18-01 is aggressive, the good news is that the DHS directive itself is straightforward and practically oozes common sense. DHS also has a top notch set of resources to aid every agency in complying.

Perhaps the greatest challenge of the directive is the complexity associated with DMARC deployments. The problem with email goes all the way back to when it was invented in 1982. The fatal flaw of email is that anyone can send an email claiming to be from anyone else, including trusted Federal Agencies. That’s why in 2007 several organizations, including PayPal, Google, Yahoo, Bank of America and Facebook, got together to create a solution.

Those early pioneers saw the problem as fundamental to email technology. Their solution was to take existing open standards like SPF and DKIM and build on a DMARC layer in order to understand who’s using the domain and authenticate the valid sources while blocking the invalid ones.

And, while this is not a new technology or rocket science, it can be a big data challenge. When you publish the DMARC record that the directive requires by January 15th, 2018, you’re going to begin getting a massive barrage of intelligence from a billion mailboxes at Google, 800 million mailboxes at Microsoft, and hundreds of millions of other mailboxes at Yahoo, AOL and from foreign ISPs in the form of complex XML files. Transforming that raw data into intelligence workflow alerts, that your agency or business can operate on is a complicated big data problem that might best be handled by an experienced vendor*.


Couple that with a climate where email is used prolifically by government agencies to communicate with customers, constituents, vendors and contractors, often using automated systems, and you have a situation where it’s possible to have numerous sources of email that the organization may not even be aware of. Historically, that inability to police email has made it fertile ground for cybercriminals.

That’s what makes implementing DMARC so challenging. It’s a process of slowly understanding all the ways that email is being used by an agency and methodically implementing controls to secure those channels.

The good news is that, once fully implemented, DMARC virtually eliminates the delivery of emails that attempt to impersonate an agency domain.

The other good news is that out of 1100 federal government agency domains, 32 percent have already published a DMARC record making them compliant with the DHS directive’s requirements for January 15th. In addition, 12 percent of agencies have achieved a DMARC “reject” policy making them fully compliant with the directive.

When implementing BOD 18-01, it’s important to keep in mind that the DHS directive’s requirements are not rocket science. Rather, they are common sense initiatives that utilize existing technology and implementing that technology should not be overwhelming.

*94% of agencies subject to the directive that have chosen to work with a third party have chosen Agari.

About Patrick Peterson, Founder & Executive Chairman

Pat-PetersonPatrick Peterson is Agari’s visionary founder and executive chairman, who has spent more than 15 years securing the email ecosystem. In this executive leadership role, he supports Agari’s growth initiatives by working closely with customers and partners to further the company’s roadmap and vision. Peterson founded Agari in 2009 when he saw a real need in the industry for a solution that would secure the email channel. Under his leadership as Chief Executive Officer, he developed the company’s industry-changing security platform that now protects many of the world’s largest enterprises from email threats. Prior to Agari, Peterson joined IronPort Systems and invented IronPort’s SenderBase, the industry’s first reputation service. After Cisco’s acquisition of IronPort, he became one of 13 Cisco Fellows.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

April 17, 2019 Fareed Bukhari

The Time is Now: Underscoring the Importance of DMARC for State and Local Governments

Scammers know that impersonating a trusted government agency is an extremely effective way to trick…

Agari Blog Image

February 26, 2019 Armen Najarian

Retail Trails Other Sectors in Adopting DMARC for Phishing Prevention

Recent research by the Agari Cyber Intelligence Division finds that the retail industry is dead…

Person Looking at DMARC Protected Email

February 19, 2019 Fareed Bukhari

DMARC Adoption Up, But 85% of Fortune 500 Remains Vulnerable to Brand Hijacking

Adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC) has seen modest growth in recent…

Agari Blog Image

October 16, 2018 Fareed Bukhari

One Year Later: Federal Mandate for Email Authentication Huge Success

Responding to BOD 18-01, agencies rally to complete the fastest sector-wide adoption of DMARC One…

Agari Blog Image

October 16, 2018 Patrick Peterson

DMARC: A 12-Month Triumph for DHS—and the Nation

Today is the deadline set by the Department of Homeland Security for all executive branch…

mobile image