DMARC in government: Securing public sector email communications

It’s another Monday. A city employee receives an urgent email that appears to be from a state agency. The message demands immediate action on a critical infrastructure project. Without thinking twice, they click the link and enter their credentials. Unfortunately, that employee just handed over access to sensitive government systems to a sophisticated phishing operation.

Sound far-fetched? It’s not. 

Government agencies face thousands of email-based attacks every day. From local municipalities to federal departments, the public sector is a prime target for cybercriminals looking to steal sensitive data, disrupt operations, or compromise national security. In fact, over 90% of cyber attacks start with a phishing email, and government domains are particularly enticing targets.

This is where DMARC (Domain-based Message Authentication, Reporting, and Conformance) can help. DMARC verifies every email claiming to be from your domain is actually from you.

Below, we’ll break down everything government agencies need to know about DMARC: 

• Why it’s non-negotiable for public sector email security
• How to implement it while navigating government-specific challenges
• What happens if you don’t

We’ll also look at how agencies can meet federal mandates like BOD 18-01 without getting tangled in red tape.

The importance of email security in government

Email isn’t just another communication channel for government agencies—it’s the backbone of public sector operations. While the private sector might have alternatives like Slack or Teams for internal chat, government agencies rely heavily on email for everything from inter-agency coordination to citizen services.

The truth is that government domains carry extra weight. When an email comes from a .gov address, people tend to trust it automatically. That’s exactly why cybercriminals love spoofing government domains. An email that appears to be from the IRS or Social Security Administration is more likely to get clicked than one from a random company.

Here are examples of what goes through government email systems every day:

Citizen communications and services:

• Benefits notifications and updates
• Tax information and correspondence
• Permit applications and approvals
• Public health and safety alerts
• Voting information and election updates

Inter-agency operations:

• Law enforcement communications
• Emergency response coordination
• Intelligence sharing
• Policy directives
• Budget and resource allocation

External partnerships:

• Contractor and vendor management
• Grant applications and awards
• Research collaboration
• International diplomatic communications
• Public-private partnerships

Risks of poor email security in government 

Here’s what’s at stake:

• National security exposure: Foreign actors can intercept sensitive communications, gather intelligence on government operations, and even compromise critical infrastructure systems through email-based attacks.
• Public trust erosion: Once citizens lose confidence in government communications, it’s incredibly hard to win back. When scammers can impersonate your agency, every legitimate email you send becomes suspect.
• Citizen data at risk: Government agencies handle sensitive personal information daily—from social security numbers to tax records. One successful phishing attack can expose thousands of citizens’ private data.
• Financial losses: The costs pile up fast—direct losses from fraud, investigation expenses, system recovery costs, and potential legal settlements, not to mention the taxpayer money spent cleaning up after a breach.
• Operational chaos: When email security fails, critical government operations can grind to a halt. Emergency response coordination suffers, inter-agency communication becomes unreliable, and public services face disruptions.
• Supply chain vulnerability: Government agencies don’t operate in isolation. A compromised email domain can affect entire networks of partners, contractors, and other agencies—creating a domino effect of security issues.
• Compliance headaches: Beyond BOD 18-01, poor email security can put you on the wrong side of numerous regulations, from state data protection laws to international privacy requirements.

These aren’t theoretical risks, either. Government domains face these threats every day, and without DMARC, it’s not a question of if you’ll face an attack—it’s when.

What is DMARC, and how does it work? 

DMARC works with two other security protocols to guarantee messages that claim to come from your brand actually come from your brand:

• SPF (Sender Policy Framework): Your approved list of email senders. 
• DKIM (DomainKeys Identified Mail): A digital signature that verifies the email hasn’t been tampered with.
• DMARC: Checks both SPF and DKIM and then enforces your rules about what to do with emails that fail these checks.

When DMARC spots an email that fails authentication, it can take three actions:

• p=none: “Monitor mode.” Suspicious emails still get delivered, but you get reports about them.
• p=quarantine: Suspicious emails go straight to spam.
• p=reject: Unauthorized emails get blocked completely.

Unlike regular spam filters that try to guess what’s suspicious, DMARC actually verifies sender identity. For government agencies, this means only authorized senders can use your .gov domain. And it also stops phishing attempts before they reach users’ inboxes. 

DMARC works everywhere. Once you set it up, every major email provider will check your DMARC policy before delivering emails claiming to be from your domain.

Unique challenges for government DMARC implementation

As you can imagine, implementing DMARC in government isn’t like flipping a switch. Government agencies face a few special circumstances that private companies don’t typically deal with:

• Legacy systems: Many agencies are running email systems that are older than some of their employees. These systems weren’t built with modern authentication in mind, and upgrading them isn’t as simple as downloading the latest update.
• Budget cycles: Getting budget approval for new security measures can feel like pushing a boulder uphill. Between fiscal year limitations and complex approval processes, securing funding requires planning way ahead.
• Contractor complications: Your agency probably works with dozens (or hundreds) of contractors who send email on your behalf. Getting all of them aligned with your DMARC implementation is like herding cats—very bureaucratic cats.
• Multi-departments: Different departments often use different email systems and services. Coordinating DMARC across all of them is easier said than done.
• Staff turnover: Just when you’ve trained your team on DMARC, key personnel move to different agencies. Knowledge transfer in government can be…challenging.
• Compliance confusion: Between BOD 18-01, state regulations, and various security frameworks, figuring out which requirements apply to your agency can be challenging.
• The “good enough” trap: Many agencies think their existing security measures are sufficient. However, if you’re not at DMARC enforcement, they’re not.
• Change management: It can be intimidating to get buy-in from leadership, train staff, and update procedures while maintaining normal operations. 

Fortunately, none of these challenges are insurmountable. Agencies at every level of government have successfully implemented DMARC, and you can, too. The key is having the right approach and support, which we’ll cover later.

“Configuring DMARC was a major headache for our team, we struggled with misconfigurations, broken email flows, and uncertainty about which services were authorized to send on our behalf. Valimail’s platform gave us full visibility into our email ecosystem, helping us easily identify and fix issues without disrupting legitimate email traffic. Now, our DMARC policy is properly enforced, unauthorized senders are blocked, and we don’t have to worry about constant trouble shooting. Valimail made DMARC configuration effortless!”

Alfredo Medina, Head of Technology Services Management, National Human Rights Commission

Government-specific DMARC requirements 

If you work in government IT, you’re probably drowning in compliance requirements. Let’s cut through the noise and focus on what really matters for DMARC.

BOD 18-01

The Department of Homeland Security made this pretty clear: every federal civilian domain needs DMARC at enforcement level (p=reject). No ifs, ands, or buts. This isn’t just about monitoring anymore—it’s about actively blocking email threats.

The latest White House cybersecurity guidance doubles down on email security. DMARC is now a part of zero trust architecture, and agencies need to prove they’re actively monitoring and protecting their email domains.

State and local situation

While federal agencies have strict deadlines, state and local governments aren’t off the hook. Most state cybersecurity frameworks now require some level of email authentication. Even cyber insurance providers are starting to demand DMARC enforcement before they even cover government agencies.

Whether you’re protecting classified federal communications or local government services, DMARC isn’t optional anymore. It’s a fundamental part of modern government email security.

Implementation strategy for government agencies

Implementing DMARC in government isn’t as simple as installing a new app on your phone—it needs planning, coordination, and a solid strategy. While every implementation will look slightly different, here’s our general guidance when starting DMARC for your government agency:

1. Start with a domain audit

You need to know what you’re working with. Map out all your domains and subdomains, including the ones you might have forgotten about (trust us, there are probably more than you think). This is your foundation for everything that follows.

2. Get your allies in line

Before diving into the technical stuff, get buy-in from key stakeholders. This means IT teams, department heads, and those budget folks. Having everyone on board early makes everything smoother later.

3. Begin with monitoring

Start your DMARC journey in monitor mode (p=none). Think of it as reconnaissance—you’re gathering intel about who’s sending email using your domains without blocking anything yet. This is where you’ll discover all sorts of surprising email activities you didn’t know about.

You can start monitoring your accounts for free with Valimail Monitor.

4. Clean up your email 

Use those monitoring reports to identify all your legitimate email senders. Your marketing team’s email platform? Add it to the list. That survey tool HR uses? That too. Third-party services sending automated notifications? You get the picture.

5. Implement authentication gradually

Don’t try to boil the ocean. Start with your main domain, get that working perfectly, then move on to subdomains. It’s like rolling out a new program—pilot it first, work out the kinks, then expand.

6. Move to enforcement

Once your legitimate emails are passing authentication checks, it’s time to get a bit more serious. Move to quarantine (p=quarantine) first, then full enforcement (p=reject). Yes, this is the scary part, but with proper preparation, it’s smoother than you’d think.

7. Document and maintain

Create clear documentation about your DMARC setup. When that helpful IT person eventually moves to another agency, you don’t want your email security knowledge walking out the door with them.

8. Keep monitoring and adjusting

DMARC isn’t a “set it and forget it” solution. As your agency’s email needs change, you’ll need to update your authentication settings.

Common pitfalls and how to avoid them

Even the best-planned government projects can hit roadblocks. After helping hundreds of businesses reach enforcement, we’ve seen pretty much everything that can go wrong. Here are the most common pitfalls—and how to avoid them:

• Starting too big: Trying to implement DMARC across all domains at once.
  • Smart move: Start with your primary domain, get it right, then expand.

• Rushing to enforcement: Jumping straight to p=reject before understanding your email ecosystem. This is how you accidentally block legitimate emails and end up with angry calls from every department head.
  • Smart move: Use monitoring mode to understand your email traffic first.

• The “set and forget” trap: Implementing DMARC and never looking at the reports.
  • Smart move: Regular monitoring and adjustments keep your email security tight.

• Going it alone: Trying to implement DMARC manually without the right tools or expertise. Your IT team is talented, but they probably have enough on their plate already.
  • Smart move: Use automated tools and expert support to speed up implementation.

• Poor communication: Not telling departments when you’re making changes to email authentication. Nothing sparks panic like unexpected email delivery issues.
  • Smart move: Keep stakeholders informed at every stage.

• Ignoring third-party senders: Forgetting about all those external services sending email on your behalf.
  • Smart move: Map out ALL your email senders before making policy changes.

Valimail has helped the Australian Labor Party overcome these common government email security pitfalls. With our help, they reached DMARC enforcement in just 28 days with a 96% pass rate. We authenticated over 1.4 million of their emails and helped them combat domain hijacking amid intensified election communication demands.

Other solutions seemed overly complicated. Valimail offered a straightforward setup and configuration, with the added benefit of unlimited SPF lookup.

Dennis Perry, CTO for Special Projects for the Australian Labor Party

Protect your government agency with Valimail

Email security in government goes beyond just checking compliance boxes. It involves protecting the digital infrastructure that citizens, employees, and partner agencies rely on every day. And while DMARC implementation might seem daunting, you don’t have to tackle it alone.

Valimail is the only FedRAMP-certified DMARC solution that helps government agencies reach DMARC enforcement in weeks (not months). Our solutions automatically identify all email senders and help you meet BOD18-01 requirements with confidence. We have even partnered with Defending Digital Campaigns to prevent email impersonation during the 2024 election.

We have experience working with many government domains, such as:

• The United States Census Bureau
• The Environmental Protection Agency
• The U.S. Department of Agriculture
• USAID
• Australian Labor Party
• United States Agency for Global Media
• States of Delaware, Michigan, and Ohio

We can help you too.

Don’t wait for an email-based attack to expose your agency. Reach out to Valimail DMARC experts to start protecting your domain today.