Federal agencies that send and receive email using .gov domains must use DMARC for email security to meet the Department of Homeland Security’s Binding Operational Directive (BOD) 18-01. This Getting Started with DMARC: A Guide for Federal Agencies ebook gives you an overview that includes:

  • What DMARC is, how it works, and why federal agencies need to implement it;
  • The benefits of DMARC for your agency and its stakeholders; and
  • A step-by-step approach to correct DMARC implementation.

The Numbers Today
DMARC Adoption Worldwide

Strong Consumer/Public Mailbox Adoption

Strong Adoption by Government Agencies Driven by BOD 18-01


The Challenge
What Makes DMARC Implementation Hard

Poor Visibility 

Most agencies don’t realize how complex their email ecosystem is until they begin getting aggregate data from DMARC reporting. Standard reporting comes in the form of individual XML files that specify domain names, IP addresses and authentication details. While many tools can parse and visualize this data, making sense of the stream and understanding what subsequent actions to take to improve the authentication status of domains is very difficult and error-prone, requiring a deep understanding of email flows.

Discovering & Authorizing 3rd Party Senders

The most challenging step of the DMARC journey is understanding all of your 3rd party senders and ensuring that legitimate senders are authenticating properly. On average, Agari customers have 64% of legitimate emails sent through 3rd parties such as Salesforce, Marketo, or MailChimp.

The Cost of “Doing it Wrong” 

Despite the emergence of new messaging platforms, email continues to be a critical vehicle for communication and digital engagement for organizations of all types. Incorrectly configuring authentication can lead to false positives, deliverability issues, and agency reputational damage. Taking the final step to a Reject policy can be a daunting prospect if the business impact of undeliverable email is unknown or cannot be predicted.

The Decision
Selecting the Right Vendor to Deliver on the DMARC Promise

Not all DMARC implementation solutions are created equally, and it can be difficult to interpret some of the marketing claims made by vendors. In simple terms, there are four main things agencies should look for when evaluating which DMARC partner to use.


Anything less than an enforcement policy (quarantine or reject) opens the door for cybercriminals to conduct email phishing attacks using your brand and reputation to exploit your customers. This is the key project outcome to keep in your sights. Beware of vendors making promises like “we guarantee you will get to Reject in 90 days.” The reality is that email authentication ties directly to an agency’s critical business processes. The process is sometimes simple, sometimes, and it cannot be outsourced completely to a 3rd party vendor.

What to Ask Vendors: How long have you been focused on DMARC implementation? Did you acquire an authentication tool to meet a portfolio gap? What’s the largest environment (number of domains) that you’ve brought to Reject? Have you been the sole vendor providing implementation assistance for this agency? What percentage of all federal agencies that use DMARC use your product?


Understanding the 3rd party senders and cloud services sending on your behalf and ensuring legitimate services are properly authenticated are the biggest challenges of achieving DMARC enforcement. This is an essential capability to track sender level authentication progress and monitor new senders. You should not compromise in this area.

What to Ask Vendors: Can you automatically generate a visual display (not just IP addresses) of all senders emailing on my behalf? How do you discover and validate the senders?


DMARC is an open standard developed by pioneers in the email space. Vendors who introduce non-standard approaches and configurations do a disservice to their customers, who will have difficulty migrating off the proprietary system if the need arises.

What to Ask Vendors: What non-standard approaches do you use for maintaining SPF records? If I move to another vendor to drive my authentication roadmap, how can I migrate the customized settings? How is your environment protected from attacks?


Mature vendors with a proven track record serving the needs of large enterprise and government customers will have the right mix of features and capabilities around reporting, forensics, and ecosystem integration.

What to Ask Vendors: Describe the adhoc executive level reports you can create. Can you schedule and share reports in CSV and PDF format? Do you support role-based and domain-based access control that can map to my organization’s process? Do you support Single Sign-On (SSO) access to the application? Do you have an app that pulls relevant information from brand/domain events into Splunk?



Close button
Mail Letter

Would you like the confidence to trust your inbox?