Sign in
  • Home
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Support
Request phishing analysis
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Get started for free
  • Support
  • Sign in
Check to see if you’re protected
☰
Check to see if you’re protected
Share this article
Related posts
  • Blog
    Research: Only 22 of the top 100 retailers are protected by DMARC
  • Blog
    DMARC authentication gets you the deliverability you deserve
  • Blog
    How vulnerable are U.S. election operations to email spoofing?
Valimail blog

U.S. government DMARC adoption surges, just ahead of the deadline

Author: Valimail
gov-domains-DMARC-progress-1-16

(Updated 1/16 with new data)

In October, the Department of Homeland Security issued a directive that requires all federal agencies to implement DMARC for every domain they own.

Department of Homeland Security’s mandate, BOD 18-01 requires agencies to secure their email through DMARC and STARTTLS, and web pages through HTTPS.

The first significant deadline for BOD 18-01 is almost here. On January 15, every agency domain must have a DMARC record with, at minimum, a p=none policy.

Agencies have made a great start. When the mandate first emerged on October 16, 2017, only 18 percent of the 1,315 federal domains had a DMARC record. Three months later, as of January 16, that number has more than doubled and now stands at 54.7 percent, or 706 out of the 1,315 federal .gov domains. Eighteen of these domains added DMARC records over the federal holiday weekend.

The federal government now has a higher rate of DMARC deployment than almost any commercial sector we’ve looked at, including the Fortune 500 (34 percent), major U.S. banks (32 percent), and even Crunchbase “unicorns” (31 percent).

We predict that the vast majority of the government’s domains will have DMARC records within the next few months, even if they do miss this first deadline.

(Are you an agency that needs DMARC? Valimail’s ValiGov service can help.)

No Need to Panic

Gaining compliance with the January 15th requirement is not as difficult as it appears.

Especially in monitoring mode, DMARC does not have to be costly, risky, or difficult. As they learn this, many more agencies will find it’s easy to comply with BOD 18-01’s initial requirement to publish a basic DMARC record in monitoring mode.

DMARC can be implemented on any domain in about five minutes, with the addition of a single, one-line text record in DNS. Given the change control mechanisms that govern DNS updates in most organizations, that could realistically take several days to complete, but it’s not a heavy lift by any means.

This has no impact on other DNS services (such as the availability of the domain’s web servers) and, as long as the policy for the DMARC record is set to “none,” it will have no effect on whether email messages get delivered or not.

The most basic DMARC record also allows domain owners to specify an email address to receive DMARC aggregate reports, which provides an invaluable tool for collecting data on how the domain is being used by email senders.

When agencies turn on DMARC reporting, they will begin to see exactly which mail servers, cloud services, and even printers have been sending email using the agencies’ domains. Of course, phishers who are trying to impersonate the agencies with fraudulent emails will also show up in these aggregate reports. It’s the first step toward gaining control of their email ecosystems.

It’s a good sign that more than half of the federal government’s domains now have DMARC records. We’re optimistic that the vast majority of domains will have DMARC within the next few months.

Then it’s on to the next challenge — getting to enforcement, which is the point at which DMARC actually starts protecting agencies from fraudulent emails by blocking unauthorized senders. That won’t be an easy journey, but it too is eminently achievable within the next nine months.

The key will be automation: Automatically identifying senders, automatically configuring DNS records to match, and making it easy for domain owners to authorize or de-authorize senders with a single click.

We’ll have more on that in a future post. In the meantime, if you’d like to find out how Valimail’s ValiGov service can help you get DMARC deployed and gain BOD 18-01 compliance, let us know.

Back to blog
Published January 12, 2018
  • data
  • DHS
Author: Valimail
Valimail is the global leader in zero-trust email security. The company’s full line of cloud-native solutions authenticate sender identity to stop phishing, protect brands, and ensure compliance; they are used by organizations ranging from neighborhood shops to some of the world's largest organizations, including Uber, Splunk, Yelp, Fannie Mae, Mercedes Benz USA, and the U.S. Federal Aviation Administration. Valimail is the fastest growing DMARC solution, with the most domains at DMARC enforcement, and is the premier DMARC partner for Microsoft 365 environments. For more information visit www.valimail.com.
Resources
Top retailers remain vulnerable to email brand spoofing
Learn more
Email security with Microsoft and Valimail
Learn more
Election email security
Learn more
Email fraud landscape, Summer 2020
Learn more
Preparing for BIMI: A Marketer’s Guide
Learn more
Latest news
Trump’s refusal to concede the election is creating an opening for cy...
Learn more
2020 General Election Results to Directly Impact Tech Industry
Learn more
Why Email Is Still an Election Day Disinformation Risk
Learn more
US elections are still vulnerable to email spoofing
Learn more
Security Gaps Persist, Report Warns, After U.S. Blames Iran In Election Sch...
Learn more
Press releases
Valimail Triples Customer Base, Becomes Top Global DMARC Provider in 2020
Learn more
Valimail: 2020 election infrastructure still vulnerable to email hackers
Learn more
Valimail Announces Selection by ASG for Anti-Phishing and BEC Protection
Learn more
Valimail DMARC Monitor and Valimail Enforce Now Available in the Microsoft ...
Learn more
Valimail Research Finds More Than 1 Million Domains Using Crucial Email Aut...
Learn more
Follow us
Contact us

P: 888.354.6179
E: info@valimail.com

Headquarters

180 Montgomery Street
20th Floor
San Francisco, CA 94104

Valimail Mountain Office

1550 Larimer Street
Suite 271
Denver, CO 80202

Request a full phishing analysis
© Valimail
  • Terms of use
  • Privacy Policy
  • Do not sell my personal information
  • Website terms of use
  • Phishing Analysis
  • Domain Checker
  • Products
  • Enforce
  • DMARC Monitor
  • Instant SPF
  • Amplify
  • Solutions
  • Anti-phishing
  • Brand protection
  • Compliance
  • Government
  • Marketing
  • Microsoft
  • Shadow IT
  • About
  • News + awards
  • Partners
  • Team
  • Careers
  • Industry leadership
  • Customer support
  • Learn
  • Resources
  • Blog
  • Customers