Today marks the Department of Homeland Security’s (DHS) Binding Operational Directive (BOD) 18-01 deadline, which requires all U.S. federal agencies to deploy email authentication on all domains to increase security for anyone receiving email from federal agencies or visiting a federal website. When BOD 18-01 was announced last October, only 20% of federal agency domains had implemented DMARC authentication at any level (p=none, p=quarantine, or p=reject). According to our analysis, 74% of federal domains have now published DMARC records and 60.5% of domains are now compliant with the BOD 18-01.
To determine the compliance level, we examined the full set of Federal civilian domains provided by the Federal government, which included 1,311. As the BOD 18-01 requires both SPF and DMARC compliance, we analysed the adoption of both protocols across the domain set.
This is a significant achievement as many agencies did not have this initiative in their plans/budgets when the mandate was announced and DMARC implementation can be complex. According to the directive, as of today, all agencies are required to fully implement authentication with a policy of ‘reject’, to ensure all unauthorised email sent from their domains is blocked. The BOD 18-01 included two aggressive implementation deadlines:
- January 2018 – Agencies required to have a DMARC record published with a policy of “p=none”, allowing them to collect authentication data and gain visibility into their domains.
- October 2018 – Agencies required to fully implement authentication with a policy of ‘reject’, ensuring that all unauthorised email sent from their domains is blocked.
BOD 18-01 DMARC Adoption in 2018: In-House and Third-Party Initiatives
Last year at this time, 12.4% of emails sent from .gov domains was unauthorised. That’s nearly 1 out of every 8 emails. Enforcing a DMARC policy of ‘reject’ on these domains helps ensure that only legitimate, authorised email is being delivered.
At the first milestone deadline in January, about 15% of agency domains had reached a DMARC policy of ‘reject’ and 37% of domains had a p=none policy in place. Today, 62% of these domains are compliant with the one-year deadline – having a ‘reject’ policy in place – and 10.9% are at p=none. 1.1% of agency domains have p=quarantine policy in place. This leaves about 26% of agency domains that do not have a DMARC record published yet.
Agency DMARC Deployment
Efforts made by the agencies to meet the final BOD 18-01 deadline are evident in the approaches they’ve taken to implement DMARC authentication over the past several months. Since January, the percentage of agencies that have worked on their DMARC projects in-house has increased from 39% to 56%. This data aligns with the overall increase in DMARC adoption rates seen across the agencies. Interestingly, the percentage of agencies that have engaged help from a third-party DMARC provider has tripled, increasing from 7% to 21% since January. This change demonstrates the seriousness with which agencies have taken BOD 18-01 and the importance they place on protecting email sent from their trusted domains.
While not every agency is DMARC compliant with BOD 18-01 at the deadline, the progress made over the past year is commendable. Ideally, we will continue to see this positive trend until each agency fully protects their domains from email spoofing attacks. And while it is nice to see other industry groups taking a similar stance with DMARC authentication, BOD 18-01 has been a promising step in the right direction that organisations in all industries should follow.
Learn more about email authentication and how Proofpoint can help you implement DMARC quickly and confidently, please visit: https://www.proofpoint.com/us/products/email-fraud-defense