Federal Agencies Making Progress Toward DMARC Deadline

As of today, U.S. federal agencies officially have 30 days until the first major deadline from the Department of Homeland Security order that directs them to implement DMARC records on their domains.

The DHS issued its mandate, called Binding Operational Directive 18-01, just two months ago. It calls for all agencies to publish DMARC records in DNS by January 15, 2018, with at minimum a monitoring-only policy (p=none). Agencies have another nine months, until October 16, 2018, to get those policies to p=reject, which directs receiving mail servers to delete unauthorized messages using the protected domain.

Despite the short time window given to them and the lack of any funding to support this mandate, agencies are making progress. When the DHS issued BOD 18-01 on October 16, 81.5 percent of the 1,315 .gov domains had published no DMARC record at all, and only 3.9 percent were actually protected by an enforcement policy.

Today, 189 more .gov domains have DMARC records than did in October, shrinking the number of domains with no record at all to 67.1 percent. And 9.5 percent are ahead of the game, with an enforcement policy in place. 

Note: Our analysis is based on the canonical list of federal .gov domains published by GSA. It includes about 1,150 domains that belong to executive branch agencies, and the remainder of the list includes domains, such as senate.gov and house.gov (neither of which are fully protected by DMARC at enforcement) that are not covered by BOD 18-01.

However, progress is still not fast enough to meet the official deadlines. At the current rate, it’ll be a year before all of these domains have published DMARC records, and another 2-3 years before they’re protected by enforcement policies.

Fortunately for federal agencies, the first step doesn't have to be difficult. Implementing DMARC with a minimal, monitoring-only policy (p=none) can be done with a simple, one-line text record in DNS, with no risk of interrupting the flow of legitimate mail. With that done, agencies will start collecting data on how their domains are being used for email, and they can begin to prepare for the next step, enforcement.

And Valimail can help with both goals (inserting a DMARC record by January 15 and getting to p=reject by October 16), with our patented, automated DMARC management system, Valimail Enforce. We have the highest proven success rate in getting companies to DMARC enforcement. Find out more about Valimail for Government.


Valimail is the trusted leader in fully-automated email authentication, with the only comprehensive platform for anti-impersonation, brand protection, and compliance used by corporations and federal agencies such as Uber, Fannie Mae, WeWork, and the U.S. Agency for International Development. Valimail Enforce is the only FedRAMP-authorized email authentication service and, because it uses no personally identifiable information (PII), it is also GDPR compliant. Valimail authenticates billions of messages a month for some of the world's biggest companies, in finance, government, transportation, health care, manufacturing, media, technology, and more. Valimail is based in San Francisco. For more information visit www.Valimail.com.