Email Security Blog

Federal Government DMARC Adoption Surges Ahead of DHS BOD 18-01 Deadline, but More Work Remains

Fareed Bukhari January 16, 2018 DMARC, Government Secure Email
Fallback Featured Image

The first deadline for the Department of Homeland Security Binding Operational Directive (BOD) 18-01 has passed and 63 percent of federal agencies have deployed DMARC, up from 18% when the directive was announced three months ago. BOD 18-01 was announced by DHS Assistant Secretary of Cybersecurity and Communications Jeanette Manfra on October 14, 2017. The mandate requires federal domains to improve email hygiene and traffic encryption through the adoption of DMARC and STARTTLS. January 14, 2018 marks the first 90 day deadline to deploy the basic DMARC monitoring policy of “p=none.”

Manfra urged federal agencies to take a stand and implement DMARC in order to make progress in email security and protect citizens from cybercriminals.

“Let’s take actual discreet steps, solve real problems, in a way that can be leveraged across the global economy.”
Jeanette Manfra

Initial Agari research in October showed that only 18 percent of federal domains subject to the mandate had implemented DMARC. Since then, Agari has been working closely with the Department of Homeland Security to provide research into updated DMARC adoption rates. On January 2, 2018, Agari published a federal DMARC adoption research report, which explored DMARC adoption statistics since our updated analysis began in November.


DMARC is designed to be deployed in stages. The initial policy, “p=none,” monitors unauthenticated messages, but still allows them to be delivered to the inbox. Adjustments can be made to the policy based on feedback from a p=none configuration. A “p=quarantine” policy sends unauthenticated emails to the recipient’s spam folder, while “p=reject” blocks unauthenticated messages completely.

In early November, only one-third (33 percent) of federal agencies had deployed DMARC. By mid-December, this improved to nearly half (47 percent of federal agencies). Today, Agari research indicates that the majority (63 percent) of federal agencies have adopted DMARC. DHS BOD 18-01 was clearly successful at driving initial DMARC adoption monitoring policies, although a few federal IT managers that missed the deadline may be in for a rude awakening following their vacation weekend.

For federal government agencies scrambling to implement DMARC, Agari has published a “Getting Started with DMARC” and a “Complying with Binding Operational Directive 18-01” federal guide, as well as a federal action plan template. Additionally, this Thursday, January 18, Agari will be hosting a federal DMARC breakfast event with speakers from DHS and HHS.

Of course, this January 14 deadline was just the first. Federal domains are also required to reach “p=reject” by October 14, 2018 – one year from the initial mandate. When Agari initiated its research in November, only 12 percent of federal agencies had deployed a “p=reject” DMARC policy. Today, it is 18 percent. Clearly, the majority of early DMARC adoption has been focused on meeting the “p=none” threshold, which accounts for 486 domains out of the 1106 Agari has been analyzing. There is still a lot of work to be done to meet this deadline. 2018 is going to be a big year for DMARC adoption, so Agari will continue to monitor these trends.

You can also monitor trends yourself at the Agari Email Threat Center, which provides a variety of interactive charts. For example, the chart below shows that the government remains one of the most attacked verticals, as nearly one-in-ten emails sent is fraudulent or unauthenticated. The good news is that BOD 18-01 is working to drive DMARC adoption, so we expect that number to decline, as more federal agencies move to reject and begin blocking phishing emails that impersonate their agency.

Hear more from Jeanette Manfra of the DHS, and Patrick Peterson, Executive Chairman and Founder of Agari, about the importance of DMARC adoption.


Agari Blog Image

April 27, 2022 Monica Delyani

5 Big Myths about DMARC, Debunked

With email attacks contributing to billions of lost dollars each year, a growing number of…

Computer Showing Secure Email Server

March 9, 2022 John Wilson

Securing Your Email with DMARC

Understanding the What, How, and Why of DMARC You probably already know this, but it…

Agari Blog Image

May 11, 2021 John Wilson

Office 365 + DMARC: Best Practices for Protecting Your Company & Customers From Phishing Attacks

Gartner includes DMARC, or known by its full name as Domain-based Message Authentication, Reporting &…

Agari Blog Image

May 5, 2021 Michael Paiko

5.8B Malicious Emails Spoofed Domains; 76% of Fortune 500 Still at Risk: DMARC Results from Agari

Global adoption of Domain-based Messaging, Reporting & Conformance (DMARC) topped 10.7 million email domains worldwide…

Agari Blog Image

April 27, 2021 Michael Paiko

What Is SPF and How Does It Work?

We're going to delve into what SPF for email is, how to implement it, the…

mobile image