Skip to content ↓ | Skip to navigation ↓

A quarter of civilian federal agencies have adopted DMARC and SPF email authentication protocols for all their domains in compliance with a mandate.

Thirty-four percent of 133 agencies are now fully compliant with what is known as BOD 18-01. Issued by the Department of Homeland Security (DHS), the mandate requires civilian federal agencies within its scope to implement DMARC and SPF on all domains. A major deadline of the mandate falls on October 16, 2018. That’s the day by which federal agencies need to have enforced a DMARC policy of “reject.”

Some organizations need to get going if they are to meet that deadline. According to Proofpoint’s latest email authentication compliance analysis, 26 percent of in-scope agencies have yet to start their DMARC deployment. That’s just slightly better than the 28 percent of agencies that had not yet begun their DMARC compliance journey as of July 2018.

In the meantime, nearly three-quarters (72 percent) of civilian federal agencies have begun working on their DMARC compliance themselves, while 19 percent have enlisted the help of third-party vendors. These efforts have helped more than half (51.9 percent) of agency domains achieve compliance with the one-year deadline, which is up from 20 percent last year.

Rob Holmes, VP of email security at Proofpoint, explained in a statement that this increase marks an important step in the right direction. But he opined that full compliance for all agencies and their domains is not expected by the October deadline:

…As many suspected, the expedited timeline of this initiative has made it difficult for agencies to properly fund and execute a compliance plan. Within the last month, we’ve observed 45 domains newly achieve the 1-year compliance deadline. While we do expect to observe an increase in activity over the next month, this rate indicates that it is unlikely that more than 70% of domains will achieve compliance by the mid-October deadline.

At this time, 80 percent of civilian federal agencies have either attempted their deployment projects in house or not yet begun their compliance journey. Proofpoint attributed this finding to a lack of prioritization and/or funding for email authentication projects among in-scope organizations.