Federal Agencies Maintain Their Lead Over Every Industry in Anti-Spoofing Protection

The D in Washington DC is for DMARC

In virtually every category Valimail has examined over the past year, we’ve seen a steady increase in the number of domains that have published DMARC records.

There is one exception: In the cohort of U.S. federal government domains, we’ve seen a dramatic, unprecedented increase. This is due directly to the Department of Homeland Security’s October, 2017 directive, BOD 18-01, requiring all executive-branch agencies to implement DMARC on a one-year timeline.

Since the executive branch accounts for the vast majority of the 1,315 federal .gov domains, that directive known as BOD 18-01, has had a huge impact on DMARC usage in this group. In Q3, just as BOD 18-01 was issued, 18.5 percent of federal domains had DMARC records; the total is now a massive 71.1 percent.

DMARC usages rates are going up in every industry

Tech Companies Left in the Dust?

No other category is even close. The two closest sectors — U.S. tech companies with $1 billion or more in revenues, and the Fortune 500 — now show more than 40 percent adoption in their use of DMARC. A third category, U.S. banks with $1 billion or more in revenues, is just touching 40 percent.

It may be surprising to some that the federal government is leading the charge on adopting a new technology. But this is a clear case where regulatory guidance can make a huge difference, if properly crafted and based on a solid technical understanding. BOD 18-01 was not just a blanket directive, it was specific and actionable, and it was paired with a website that provided concrete implementation details and numerous resources. As a result, even though BOD 18-01 might be considered an “unfunded mandate,” many agencies are finding it possible to comply with its directives — and to do so without enormous outlays of capital.

Getting to Enforcement

Publishing a DMARC record is one thing, but configuring it correctly and completely is another. Domain owners must ensure that all cloud-based services that send email are duly authorized. They need to ensure that the DMARC and SPF records are all correctly configured and then switch their DMARC policy to enforcement if they wish to realize the standard’s anti-impersonation benefits.

To date, most companies that attempt DMARC do not complete the journey. The enforcement failure rate — the percentage of companies that deploy a DMARC record but don’t get to enforcement — hovers around 75-80 percent for almost every category of company we have studied.

DMARC failure rates hover around 75-80% in almost every industry

In this area, the U.S. federal government is also doing better than average, with a failure rate that now hovers around 40 percent — the lowest (i.e. best) we’ve ever seen.

Again, the success of the U.S. government is attributable to compliance pressure: BOD 18-01 requires agencies to get their DMARC policies to enforcement (specifically, a “reject” policy) by October 16, 2018, and many agencies have responded by doing exactly that — particularly with domains that aren’t actively used to send email, and which are easier to configure as a result.

Next Up: Locking Down Active Domains and Subdomains

The next challenge for the federal government will be getting active domains (those that are used for sending a lot of email) to enforcement, and ensuring that all subdomains are also fully protected by DMARC.

Thanks to their high rate of DMARC deployment and their high success rate, 43 percent of U.S. federal government domains are protected by DMARC policies at enforcement. That is a remarkably high figure, and the CIOs and CISOs responsible for this progress deserve congratulations for the progress they have made.

There is still a ways to go, of course, as 57 percent of federal domains remain open to impersonation by fake emails. Despite best efforts, it’s likely that many of these domains domains will not be protected by DMARC p=reject policies by the October 16 deadline. Those that remain unprotected will be under pressure to get to enforcement as quickly as they can.

In that journey, an automated approach to DMARC is the fastest, most effective route to enforcement.


Find out more about how DMARC automation — with Valimail’s FedRAMP Authorized solution — can help you gain BOD 18-01 compliance quickly and reliably. Click here for more information on our government DMARC solutions.

Dylan Tweney is the head of communications for Valimail.