Email Security Blog

Half of Federal Agencies Racing to Meet DMARC Active Enforcement Deadline

Patrick Peterson August 10, 2018 DMARC, Federal, Government Secure Email
Fallback Featured Image

Executive branch DMARC adoption hits 81%—but with roughly 90 days to go, most have yet to implement required enforcement policy levels across all .gov domains

With less than three months left to comply with the Department of Homeland Security’s Binding Operational Directive (BOD) 18-01 deadline, adoption of Domain-based Message Authentication, Reporting and Compliance (DMARC) protocols for email security has soared from 20% to roughly 81%.

The catch? A new report finds that while 52% of executive branch agencies have met requirements to have active security policies set for maximum protection, there’s still much to be done before the October 16 deadline.


According to the July 2018 BOD 18-01 Progress Report from Agari, 52% of the 1,144 executive-branch .gov domains subject to the directive have DMARC implemented at its strongest security level.

The remaining 551 will need to do the same in order to fully implement DMARC’s email authentication, policy and reporting protocols, which prevent domain spoofing by malicious actors.

As it stands now, the federal government is among the sectors most heavily hit by email-based identity fraud, second only to the financial services industry. And the countdown clock is ticking.

Taking the Bait

The issue here is email impersonation fraud, including phishing and other advanced email attacks against federal agencies, the people they serve, and the organizations with which they do business.

These meticulously crafted email messages employ sophisticated identity deception techniques to fool government employees, outside contractors, citizens and constituents into revealing sensitive information or making fraudulent payments.

Of course, when you’re talking about the federal government, the implications are huge—and can go far beyond financial risks. Through email impersonation, for instance, messages appearing to come from within an agency’s own systems, or from another agency, could expose classified information or assets.

Payments or services meant for businesses could be redirected to fraudulent accounts. Credentials for gaining access to critical infrastructure and defense systems could be compromised—jeopardizing national security.

What’s more, millions of government employees, veterans, and other citizens can be deceived by messages appearing to come from federal agencies chartered with delivering healthcare, retirement benefits and more—potentially leading to financial hardship.

How bad is it? Today, one out of every 10 email messages purporting to come from a government domain is malicious or unauthorized. That’s a 12% attack rate, which is significantly higher than the global average of 3% across public and private sectors. BOD 18-01 and its DMARC mandate are designed to change all that.

Hitting DMARC

First issued by DHS last October, BOD 18-01 requires federal government agencies to update their email security to adopt standards widely used across industries, including DMARC.

At its most essential, DMARC protects citizens and agencies from email threats by stopping cybercriminals and others from using phishing campaigns to commit fraud and other crimes by impersonating government agencies.

More than 79% of email inboxes worldwide support this standard, which works to detect incoming, identity fraud-based emails appearing to come from domains covered by DMARC. But it only works if an organization has set specific enforcement policies for each of its domains. Policies range from monitoring only (“p=none”), to containment (“p=quarantine”), to the ultimate blocking policy (“p=reject”).

As part of the directive, agencies had until January 15 to establish DMARC and its default monitoring-only policy for each .gov domain. They have until October 16 to set the policy for each domain to the highest security level possible (“p=reject”) in order to ensure that fraudulent emails purporting to come from that domain never reach their targets.

The Pressure’s On

The fact that 52% of executive branch agencies have met these requirements three months ahead of schedule is impressive. But compliance may come down to the wire, nonetheless.

As of July 15, it’s unclear whether the executive branch’s crown jewel domains—including—have implemented DMARC, or have any plans to comply. In April, it was reported that only 1 of 26 email domains managed by the Executive Office of the President (EOP) had started using DMARC to block phishing attacks impersonating officials from the most important office of the US government.

What’s more, Agari data finds that as of July 15, 66% of the federal agency domains that have met full DMARC requirements are domains configured to not send email (called “defensive” domains). Setting up an enforcement policy is generally easier to do on defensive domains than on active domains that are used to send email. Toughest of all? Domains operated by 3rd parties that send email on an agency’s behalf.

Agencies racing to move active domains into compliance before the deadline can benefit from The Federal Agency Guide to Complying with Binding Operational Directive (BOD) 18-01.

They also might also want to step on it. With T-minus three months remaining before the BOD 18-01 deadline, federal agency progress toward compliance shows significant progress. But there’s still plenty of work ahead.

For full details on BOD 18-01 compliance, including a breakdown for DMARC deployment and enforcement policy level by agency, download the July 2018 BOD 18-01 Progress Report now

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

June 26, 2019 Armen Najarian

Ticket to Fraud: Airline Industry Sees Increased Consumer Phishing Scams

For many, there are few things more satisfying than receiving an email confirmation for a…

Agari Blog Image

June 13, 2019 Fareed Bukhari

DMARC Adoption Worldwide Slows with Australia's ASX 100 Remaining Most Vulnerable

DMARC adoption rose a tepid 1% in the first quarter of the year, with the…

Agari Blog Image

May 23, 2019 Suela Vahdat

DMARC Remains Elusive with 86% of Domains Open to Impersonation

More than three-quarters of UK government organisations haven't yet adopted Domain-based Message Authentication and Reporting…

Agari Blog Image

May 21, 2019 Armen Najarian

Why DMARC Could Make or Break Your B2B Email Marketing Programs

In B2B email marketing, nothing says amateur hour like a landing page with the words…

Agari Blog Image

April 17, 2019 Fareed Bukhari

The Time is Now: Underscoring the Importance of DMARC for State and Local Governments

Scammers know that impersonating a trusted government agency is an extremely effective way to trick…

mobile image