Federal SPF and DMARC Adoption Up More Than 30 Percent Points Leading Up to BOD 18-01 Deadline

September 17, 2018
Ryan Terry

The one-year mark for BOD 18-01 is quickly approaching, with about a month to go until the October 16, 2018 compliance deadline. A significant portion of the mandate set forth by the Department of Homeland Security (DHS) requires civilian federal agencies to implement DMARC and SPF email authentication protocols on all domains. According to the directive, agencies need to have valid SPF and DMARC records (with a minimum DMARC policy of “p=none”) within 90 days of the issuance of BOD 18-01. The next major compliance deadline requires agencies to enforce a DMARC policy of “reject” by October 16, 2018.

With weeks to go until the one-year deadline, our researchers examined the compliance standing for each agency and their domains. Our data shows that agencies have made commendable progress on their journeys to compliance – despite that fact that implementing email authentication protocols can be difficult – especially given the aggressive timelines set forth by the DHS – and that these projects were not part of their existing budgets.

Agency Compliance

Thirty-four (25%) of the 133 agencies under the BOD 18-01 mandate are fully compliant at this point, having satisfied both SPF and DMARC requirements for all their domains, while 35 agencies (26%) have yet to start their DMARC deployment. Interestingly, 72 agencies (55%) have been working on deploying DMARC themselves, of which two agencies are conducting blind DMARC deployments. A blind deployment means the agency is not receiving the benefits of visibility into their email ecosystem that are provided by DMARC reports. However, 19% of agencies have engaged 3rd-party vendors to help them achieve compliance. Based on the data, it is clear that agencies with fewer domains are closer to compliance than those who have a larger number of domains.

Domain Compliance

In contrast with the number of agencies that are compliant, 51.9% of agency domains are compliant with the one-year deadline. These domains have both a valid SPF record and a valid DMARC record with a “reject” policy in place. This is a significant increase from just 20% a year ago. Yet, 31% of agency domains are not DMARC compliant and 23.8% of domains do not have a valid SPF in place.

The email security mandates included within BOD 18-01 are a step in the right direction. There has been a substantial amount of progress made to increase the security of email sent from federal domains and it would be great to see these agencies continue to move forward towards compliance. However, it seems unlikely that more than 70% of agency domains will meet the compliance deadline in mid-October. Many agencies haven’t been able to prioritize or fund their email authentication projects as we see that 107 (80%) of them have either attempted their deployment projects in house or have not started their compliance journey yet.

[image caption: Timeline of security deadlines outlined in DHS BOD 18-01]

Proofpoint provides the visibility, tools, and services to help federal agencies implement DMARC authentication quickly and confidently. We encourage security teams to pursue a free DMARC assessment and uncover any suspicious email being sent on your organization’s behalf and get actionable guidance that can be used to improve security. Learn more at: https://www.proofpoint.com/us/products/email-fraud-defense