The first deadline for the Department of Homeland Security Binding Operational Directive (BOD) 18-01 has passed and 63 percent of federal agencies have deployed DMARC, up from 18% when the directive was announced three months ago. BOD 18-01 was announced by DHS Assistant Secretary of Cybersecurity and Communications Jeanette Manfra on October 14, 2017. The mandate requires federal domains to improve email hygiene and traffic encryption through the adoption of DMARC and STARTTLS. January 14, 2018 marks the first 90 day deadline to deploy the basic DMARC monitoring policy of “p=none.”
Initial Agari research in October showed that only 18 percent of federal domains subject to the mandate had implemented DMARC. Since then, Agari has been working closely with the Department of Homeland Security to provide research into updated DMARC adoption rates. On January 2, 2018, Agari published a federal DMARC adoption research report, which explored DMARC adoption statistics since our updated analysis began in November.
DMARC is designed to be deployed in stages. The initial policy, “p=none,” monitors unauthenticated messages, but still allows them to be delivered to the inbox. Adjustments can be made to the policy based on feedback from a p=none configuration. A “p=quarantine” policy sends unauthenticated emails to the recipient’s spam folder, while “p=reject” blocks unauthenticated messages completely.
In early November, only one-third (33 percent) of federal agencies had deployed DMARC. By mid-December, this improved to nearly half (47 percent of federal agencies). Today, Agari research indicates that the majority (63 percent) of federal agencies have adopted DMARC. DHS BOD 18-01 was clearly successful at driving initial DMARC adoption monitoring policies, although a few federal IT managers that missed the deadline may be in for a rude awakening following their vacation weekend.
For federal government agencies scrambling to implement DMARC, Agari has published a “Getting Started with DMARC” and a “Complying with Binding Operational Directive 18-01” federal guide, as well as a federal action plan template. Additionally, this Thursday, January 18, Agari will be hosting a federal DMARC breakfast event with speakers from DHS and HHS.
Of course, this January 14 deadline was just the first. Federal domains are also required to reach “p=reject” by October 14, 2018 – one year from the initial mandate. When Agari initiated its research in November, only 12 percent of federal agencies had deployed a “p=reject” DMARC policy. Today, it is 18 percent. Clearly, the majority of early DMARC adoption has been focused on meeting the “p=none” threshold, which accounts for 486 domains out of the 1106 Agari has been analyzing. There is still a lot of work to be done to meet this deadline. 2018 is going to be a big year for DMARC adoption, so Agari will continue to monitor these trends.
You can also monitor trends yourself at the Agari Email Threat Center, which provides a variety of interactive charts. For example, the chart below shows that the government remains one of the most attacked verticals, as nearly one-in-ten emails sent is fraudulent or unauthenticated. The good news is that BOD 18-01 is working to drive DMARC adoption, so we expect that number to decline, as more federal agencies move to reject and begin blocking phishing emails that impersonate their agency.