Email Security Blog

Federal Government DMARC Adoption Surges Ahead of DHS BOD 18-01 Deadline, but More Work Remains

Fareed Bukhari January 16, 2018 DMARC, Government Secure Email
Fallback Featured Image

The first deadline for the Department of Homeland Security Binding Operational Directive (BOD) 18-01 has passed and 63 percent of federal agencies have deployed DMARC, up from 18% when the directive was announced three months ago. BOD 18-01 was announced by DHS Assistant Secretary of Cybersecurity and Communications Jeanette Manfra on October 14, 2017. The mandate requires federal domains to improve email hygiene and traffic encryption through the adoption of DMARC and STARTTLS. January 14, 2018 marks the first 90 day deadline to deploy the basic DMARC monitoring policy of “p=none.”

Manfra urged federal agencies to take a stand and implement DMARC in order to make progress in email security and protect citizens from cybercriminals.

“Let’s take actual discreet steps, solve real problems, in a way that can be leveraged across the global economy.”
Jeanette Manfra

Initial Agari research in October showed that only 18 percent of federal domains subject to the mandate had implemented DMARC. Since then, Agari has been working closely with the Department of Homeland Security to provide research into updated DMARC adoption rates. On January 2, 2018, Agari published a federal DMARC adoption research report, which explored DMARC adoption statistics since our updated analysis began in November.


DMARC is designed to be deployed in stages. The initial policy, “p=none,” monitors unauthenticated messages, but still allows them to be delivered to the inbox. Adjustments can be made to the policy based on feedback from a p=none configuration. A “p=quarantine” policy sends unauthenticated emails to the recipient’s spam folder, while “p=reject” blocks unauthenticated messages completely.

In early November, only one-third (33 percent) of federal agencies had deployed DMARC. By mid-December, this improved to nearly half (47 percent of federal agencies). Today, Agari research indicates that the majority (63 percent) of federal agencies have adopted DMARC. DHS BOD 18-01 was clearly successful at driving initial DMARC adoption monitoring policies, although a few federal IT managers that missed the deadline may be in for a rude awakening following their vacation weekend.

For federal government agencies scrambling to implement DMARC, Agari has published a “Getting Started with DMARC” and a “Complying with Binding Operational Directive 18-01” federal guide, as well as a federal action plan template. Additionally, this Thursday, January 18, Agari will be hosting a federal DMARC breakfast event with speakers from DHS and HHS.

Of course, this January 14 deadline was just the first. Federal domains are also required to reach “p=reject” by October 14, 2018 – one year from the initial mandate. When Agari initiated its research in November, only 12 percent of federal agencies had deployed a “p=reject” DMARC policy. Today, it is 18 percent. Clearly, the majority of early DMARC adoption has been focused on meeting the “p=none” threshold, which accounts for 486 domains out of the 1106 Agari has been analyzing. There is still a lot of work to be done to meet this deadline. 2018 is going to be a big year for DMARC adoption, so Agari will continue to monitor these trends.

You can also monitor trends yourself at the Agari Email Threat Center, which provides a variety of interactive charts. For example, the chart below shows that the government remains one of the most attacked verticals, as nearly one-in-ten emails sent is fraudulent or unauthenticated. The good news is that BOD 18-01 is working to drive DMARC adoption, so we expect that number to decline, as more federal agencies move to reject and begin blocking phishing emails that impersonate their agency.

Hear more from Jeanette Manfra of the DHS, and Patrick Peterson, Executive Chairman and Founder of Agari, about the importance of DMARC adoption.


Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

June 26, 2019 Armen Najarian

Ticket to Fraud: Airline Industry Sees Increased Consumer Phishing Scams

For many, there are few things more satisfying than receiving an email confirmation for a…

Agari Blog Image

June 13, 2019 Fareed Bukhari

DMARC Adoption Worldwide Slows with Australia's ASX 100 Remaining Most Vulnerable

DMARC adoption rose a tepid 1% in the first quarter of the year, with the…

Agari Blog Image

May 23, 2019 Suela Vahdat

DMARC Remains Elusive with 86% of Domains Open to Impersonation

More than three-quarters of UK government organisations haven't yet adopted Domain-based Message Authentication and Reporting…

Agari Blog Image

May 21, 2019 Armen Najarian

Why DMARC Could Make or Break Your B2B Email Marketing Programs

In B2B email marketing, nothing says amateur hour like a landing page with the words…

Agari Blog Image

April 17, 2019 Fareed Bukhari

The Time is Now: Underscoring the Importance of DMARC for State and Local Governments

Scammers know that impersonating a trusted government agency is an extremely effective way to trick…

mobile image