Progress Report: US Federal Government DMARC Implementation

By Shehzad Mirza

On October 16th, the U.S. Department of Homeland Security (DHS) issued Binding Operational Directive 18-01 (BOD 18-01) in which all federal agencies are mandated to implement various email security measures, one which of which is DMARC.  It is now two months since the mandate has been released, and we have seen a great uptick in DMARC implementation.


Figure 1: DMARC Implementation for federal domains


There are now 797 federal agencies without DMARC; 351 using policy level ‘none’, 11 using policy level ‘quarantine’, and 156 using policy level ‘reject’.  This is a similar pace compared to last month, but there are still 60 days remaining and still 797 federal domains need to take action.  The best news…the continuous increase in the number of domains at DMARC policy ‘reject’.

One area that is still of concern is that 15 (previously nine) of the agency domains that have implemented DMARC have done so without enabling reporting.  Eleven (previously four) of these domains are using DMARC level ‘none’ without reporting.  DMARC level ‘none’ has no impact on messages and is meant only for monitoring purposes, but it is useless if the reporting is not enabled.  The remaining four domains are using the DMARC policy level of ‘reject’ without reporting enabled.  This is not a huge concern since they are at the highest level, but the reports can still be useful to IT staff for troubleshooting, and for cyber security staff to obtain cyber intel in the form of spammers/phishers.

The 351 federal domains that are at DMARC policy level ‘none’, must not forget to still keep working towards an effective DMARC policy of ‘quarantine’ or ‘reject’, with ‘reject’ being the requirement by October 2018.

We strongly encourage everyone to follow the leadership of DHS and the United Kingdom government with the  implementation of DMARC and to use our DMARC Setup Guide (which is now available in thirteen languages). We also have many resources (awareness videos and tutorials, monthly Webinars, and information resources) available to assist with DMARC implementation and ensure use of the reporting capability of DMARC. There is a lot of valuable information for an organization’s IT and security staff in those reports.

The author, Shehzad Mirza, is the Director of Operations at the Global Cyber Alliance. You can connect with Shehzad on LinkedIn.