Federal agencies that send and receive email using .gov domains must use DMARC for email security to meet the Department of Homeland Security’s Binding Operational Directive (BOD) 18-01. This Getting Started with DMARC: A Guide for Federal Agencies ebook gives you an overview that includes:

  • What DMARC is, how it works, and why federal agencies need to implement it;
  • The benefits of DMARC for your agency and its stakeholders; and
  • A step-by-step approach to correct DMARC implementation.

The DHS Mandate
Adopt DMARC for Email Security

On October 16, 2017, the U.S. Department of Homeland Security issued a Binding Operational Directive (BOD) 18-01 that mandates the implementation of specific security standards to strengthen email and website security.

This directive stated that all federal agencies that operate .gov email domains must implement a DMARC “monitoring” policy within 90 days and that all federal agencies must move to an enforcement policy of reject by October 2018.

As of October 16, 2018, 77% of the 1,144 executive branch domains subject to BOD 18-01 had implemented DMARC at its strongest enforcement level, “p=reject.” While work still remains, this speed at which the government adopted this critical email security standard is commendable

This guide is designed to provide an overview of DMARC and best practice resources to federal agencies that send and receive email using .gov domains.

The History

Email – despite its importance, ubiquity, and staying power – has never been secure.

Prior attempts at security have failed to solve email’s fundamental flaw – anyone can send email using someone else’s identity. This flaw has put the power of the world’s most admired brands and federal agencies in criminal hands. Through email, criminals can use almost any brand to send spam, phishing emails and malware installs, inflicting direct losses to customers and eroding the brand equity companies have spent years building up.

Many forward-thinking federal agencies, including the US Senate, US Postal Service, Federal Deposit Insurance Corporation, US Customs and Border Protection, and US Veterans Affairs, have already adopted DMARC to protect their constituents and the public at large.

Using DMARC, companies gain unprecedented visibility into legitimate and fraudulent mail sent using their domain names. The magic of DMARC is the ability to understand all the different mail streams being sent claiming to be from you – third parties, business units, and threat actors. The overall impact to companies that have adopted DMARC is preservation of brand equity, elimination of customer support costs related to email fraud, and renewed trust and engagement in the company’s email channel.

DMARC – an open standard enabled on 70% of the world’s inboxes – is the only solution that enables Internet-scale email protection and prevents fraudulent use of legitimate brands for email cyberattacks.

The Basics
What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an open email standard published in 2012 by the industry consortium DMARC.org to protect the email channel. DMARC extends previously established authentication standards for email and is the only way for email senders to tell email receivers that the emails they are sending are truly from them. DMARC enables agencies that send email using .gov domains to:

  • Authenticate All Legitimate Email messages and sources for their email-sending domains, including messages sent from your own infrastructure as well as those sent by 3rd parties.
  • Publish An Explicit Policy that instructs mailbox providers what to do with email messages that are provably inauthentic. These messages can either be sent to a junk folder or rejected outright, protecting unsuspecting recipients from exposure to attacks.
  • Gain Intelligence On Their Email Streams by letting them know who is sending mail from their domains. This data helps companies to not only identify threats against their customers, but also discover legitimate senders that they may not even be aware of.

What is a DMARC Enforcement Policy?
When you set a DMARC policy for your organization, you as an email sender are indicating that your messages are protected. The policy tells a receiver what to do if one of the authentication methods in DMARC passes or fails.

How it Works
When emails are received by the mailbox provider, the receiver checks if DMARC has been activated for your domain.

BOD 18-01 Directive:
None policy: Required by January 14th, 2018.

Reject policy: Required by October 16th, 2018.


Close button
Mail Letter

Would you like the confidence to trust your inbox?