Email Security Blog

Federal Government DMARC Adoption Surges Ahead of DHS BOD 18-01 Deadline, but More Work Remains

Fareed Bukhari January 16, 2018 DMARC, Government Secure Email
Fallback Featured Image

The first deadline for the Department of Homeland Security Binding Operational Directive (BOD) 18-01 has passed and 63 percent of federal agencies have deployed DMARC, up from 18% when the directive was announced three months ago. BOD 18-01 was announced by DHS Assistant Secretary of Cybersecurity and Communications Jeanette Manfra on October 14, 2017. The mandate requires federal domains to improve email hygiene and traffic encryption through the adoption of DMARC and STARTTLS. January 14, 2018 marks the first 90 day deadline to deploy the basic DMARC monitoring policy of “p=none.”

Manfra urged federal agencies to take a stand and implement DMARC in order to make progress in email security and protect citizens from cybercriminals.

“Let’s take actual discreet steps, solve real problems, in a way that can be leveraged across the global economy.”
Jeanette Manfra

Initial Agari research in October showed that only 18 percent of federal domains subject to the mandate had implemented DMARC. Since then, Agari has been working closely with the Department of Homeland Security to provide research into updated DMARC adoption rates. On January 2, 2018, Agari published a federal DMARC adoption research report, which explored DMARC adoption statistics since our updated analysis began in November.

DMARC-Statistics-Government-Adoption

DMARC is designed to be deployed in stages. The initial policy, “p=none,” monitors unauthenticated messages, but still allows them to be delivered to the inbox. Adjustments can be made to the policy based on feedback from a p=none configuration. A “p=quarantine” policy sends unauthenticated emails to the recipient’s spam folder, while “p=reject” blocks unauthenticated messages completely.

In early November, only one-third (33 percent) of federal agencies had deployed DMARC. By mid-December, this improved to nearly half (47 percent of federal agencies). Today, Agari research indicates that the majority (63 percent) of federal agencies have adopted DMARC. DHS BOD 18-01 was clearly successful at driving initial DMARC adoption monitoring policies, although a few federal IT managers that missed the deadline may be in for a rude awakening following their vacation weekend.

For federal government agencies scrambling to implement DMARC, Agari has published a “Getting Started with DMARC” and a “Complying with Binding Operational Directive 18-01” federal guide, as well as a federal action plan template. Additionally, this Thursday, January 18, Agari will be hosting a federal DMARC breakfast event with speakers from DHS and HHS.

Of course, this January 14 deadline was just the first. Federal domains are also required to reach “p=reject” by October 14, 2018 – one year from the initial mandate. When Agari initiated its research in November, only 12 percent of federal agencies had deployed a “p=reject” DMARC policy. Today, it is 18 percent. Clearly, the majority of early DMARC adoption has been focused on meeting the “p=none” threshold, which accounts for 486 domains out of the 1106 Agari has been analyzing. There is still a lot of work to be done to meet this deadline. 2018 is going to be a big year for DMARC adoption, so Agari will continue to monitor these trends.

You can also monitor trends yourself at the Agari Email Threat Center, which provides a variety of interactive charts. For example, the chart below shows that the government remains one of the most attacked verticals, as nearly one-in-ten emails sent is fraudulent or unauthenticated. The good news is that BOD 18-01 is working to drive DMARC adoption, so we expect that number to decline, as more federal agencies move to reject and begin blocking phishing emails that impersonate their agency.

Hear more from Jeanette Manfra of the DHS, and Patrick Peterson, Executive Chairman and Founder of Agari, about the importance of DMARC adoption.

 

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

March 12, 2020 Michael Paiko

DMARC Report: 85% of Fortune 500 Leave Their Customers Vulnerable to Impersonation Scams

Despite increased adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC), the vast majority of…

Agari Blog Image

February 7, 2020 Ramon Peypoch

DMARC and Lookalike Domains: How to Protect Your Customers from Getting Duped

Hint: DMARC Alone Won't Cut It Think the prospect of cybercriminals using your domains to…

Agari Blog Image

January 3, 2020 Armen Najarian

DMARC for Transportation: How to Stop Email-based Brand Impersonation Attacks

Can an email authentication protocol known as DMARC protect freight and package carriers from brand…

DMARC for Email Security

December 11, 2019 Ramon Peypoch

Beyond DMARC: What It Really Takes to Ensure Email Security

As important as Domain-based Message Authentication, Reporting & Conformance (DMARC) is to the fight against…

Agari Blog Image

September 26, 2019 Doug Jones

How to Prevent Phishing Attacks that Target Your Customers with DMARC and Office 365

Editor's Note: This post originally appeared on the Microsoft Security blog and has been republished…

mobile image