On October 16, 2017, the U.S. Department of Homeland Security issued a Binding Operational Directive (BOD) 18-01 that mandates the implementation of specific security standards to strengthen email and website security.
This directive stated that all federal agencies that operate .gov email domains must implement a DMARC “monitoring” policy within 90 days and that all federal agencies must move to an enforcement policy of reject by October 2018.
As of October 16, 2018, 77% of the 1,144 executive branch domains subject to BOD 18-01 had implemented DMARC at its strongest enforcement level, “p=reject.” While work still remains, this speed at which the government adopted this critical email security standard is commendable
Prior attempts at security have failed to solve email’s fundamental flaw – anyone can send email using someone else’s identity. This flaw has put the power of the world’s most admired brands and federal agencies in criminal hands. Through email, criminals can use almost any brand to send spam, phishing emails and malware installs, inflicting direct losses to customers and eroding the brand equity companies have spent years building up.
Many forward-thinking federal agencies, including the US Senate, US Postal Service, Federal Deposit Insurance Corporation, US Customs and Border Protection, and US Veterans Affairs, have already adopted DMARC to protect their constituents and the public at large.
Using DMARC, companies gain unprecedented visibility into legitimate and fraudulent mail sent using their domain names. The magic of DMARC is the ability to understand all the different mail streams being sent claiming to be from you – third parties, business units, and threat actors. The overall impact to companies that have adopted DMARC is preservation of brand equity, elimination of customer support costs related to email fraud, and renewed trust and engagement in the company’s email channel.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an open email standard published in 2012 by the industry consortium DMARC.org to protect the email channel. DMARC extends previously established authentication standards for email and is the only way for email senders to tell email receivers that the emails they are sending are truly from them. DMARC enables agencies that send email using .gov domains to:
What is a DMARC Enforcement Policy?
When you set a DMARC policy for your organization, you as an email sender are indicating that your messages are protected. The policy tells a receiver what to do if one of the authentication methods in DMARC passes or fails.
How it Works
When emails are received by the mailbox provider, the receiver checks if DMARC has been activated for your domain.
BOD 18-01 Directive:
None policy: Required by January 14th, 2018.
Reject policy: Required by October 16th, 2018.