Five Percent of U.S. State and Local Domains Join Battle Against Domain Impersonation

Valimail press release

Five Percent of U.S. State and Local Domains Join Battle Against Domain Impersonation

Most .gov domains outside the federal government have not begun to deploy email authentication — a huge opportunity for government leadership

SAN FRANCISCO, Dec. 11, 2018 — Valimail, the world’s only FedRAMP-authorized provider of DMARC email authentication, released data today showing that 5 percent of state and local government domains are taking initial steps to protect themselves against phishing and email fraud through email authentication.

The Valimail report, “The State of State and Local Email,” found that 220 of 4,273 state and local .gov domains, or about 5 percent, have deployed the Domain-based Message Authentication, Reporting and Conformance (DMARC) authentication standard. An even smaller number, 25, have set DMARC to a policy that rejects fake emails, leaving 99.4% vulnerable to impersonation.

Among the government domains that have protected themselves from impersonation through DMARC at enforcement are the cities of Annapolis, Maryland; Sarasota, Florida; East Hartford, Connecticut; El Paso, Texas; Gunnison, Colorado; and Los Gatos, California. No top-level state domain (e.g.,, or has yet implemented DMARC with an enforcement policy.

“This research shows that state and local governments are at the beginning of their journey toward authenticated email that can be trusted by citizens and government employees alike,” said Alexander García-Tobar, the CEO and co-founder of Valimail. “The good news is that this journey can be completed rapidly, economically, and effectively, as the federal government has shown.”

DMARC Is Critical for Email Fraud Prevention

By deploying email authentication through DMARC and other standards and by configuring DMARC to a policy of enforcement — which directs receiving mail servers to reject or quarantine unauthorized messages — government organizations can substantially improve their cybersecurity defense posture, protect themselves against phishing, and shut down email-based impersonation and fraud.

There is substantial cause for optimism. In just one year (October 2017 to October 2018), there has been a 14x increase in the number of federal agencies protected by a DMARC record at enforcement, thanks to a directive issued by the Department of Homeland security requiring most federal agencies to deploy DMARC.

(Valimail has several customers among the federal government, all of whom achieved compliance with the DHS directive by the deadline.)

Although state and local governments are not obligated to implement email authentication under that federal directive, these results should serve as proof that governments can move quickly and effectively to protect their communications — and that implementing DMARC to a policy of enforcement is the way to do it.

To download the free government report from Valimail, visit:

Subscribe to our newsletter