November 19, 2018

The government mandated a strict DMARC policy for .gov domains. How did they do?

In October 2017, the Department of Homeland Security issued Binding Operational Directive 18-01 focused on securing the email and web traffic of the United States federal government. The highlights of this directive include enabling StartTLS to encrypt email traffic between networks, implementing email authentication standards for .gov domains (including SPF, DKIM, and DMARC at p=reject), and moving all sites to secure “https” URLs.

BOD 18-01:

“Within one year (October 16, 2018) of BOD issuance, set a DMARC policy of “reject” for all second-level domains and mail-sending hosts.“

On November 1, 2018, two weeks after the DHS deadline to be at p=reject, we looked at 1000 .gov domains. We’re happy to report over the course of the last year, the government was hard at work getting their email world in order, with 81.6% of .gov domains surveyed achieving the required p=reject policy. Unfortunately, a handful of .gov’s are still at the p=none (5%) or p=quarantine (.6%) stage, and a shocking 12.8% are still not publishing a policy at all.

While the directive doesn’t list any punitive actions imposed against a .gov domain failing to implement p=reject, there are still a few domains needing to pull up the bootstraps and get this implemented correctly.

DMARC Results:


The government shouldn’t stop there, either. We also looked into the SPF policies of these same domains for a different look into email authentication. The vast majority of domains have their SPF set to -all (73.5%), followed by ~all (16.1%), ?all (1.4%), no record (8.9%), and even one domain with +all (.1%). There is definitely additional room for improvement in publishing a valid SPF record for these domains. Don’t forget: Poor SPF and DKIM authentication can have a significant impact on deliverability.

SPF Results:


While the US government set the pace for adoption of DMARC in the marketplace, even a binding directive leaves room for improvement toward total adoption. Hopefully with the government’s successful example, adoption across other industries and verticals will follow suit, driving adoption and increased authentication efforts. After all, with nonprofits’ nearly 94% non-adoption rate and law firms leading our studied industries with only 38% of firms using DMARC, there’s a lot of room for improvement out there.

If you have questions about DMARC or how your DMARC configuration is working, reach out to us. We have a team of experts ready to help.

Author: Matthew Vernhout

Matthew Vernhout is a digital messaging industry veteran and Certified International Privacy Professional (CIPP) with more than a decade of experience in email marketing. Matt is 250ok’s Director of Privacy, and he is currently the Vice Chair of the eec, after serving for several years as the Chair of their Advocacy Subcommittee.

You may also like...

[Infographic] Global Privacy Relationship Status: It’s Complicated

I recently gave a presentation on global privacy regulations to a post-graduate marketing class and one of the things I noticed while preparing was that even within a single country, privacy is complicated. On a global scale, it is really complicated. For example, Canada has one federal private sector privacy law, three similar provincial laws, […]

The Year in Email 2018

*Update: This article was featured on email influencer Jordie van Rijn’s emailmonday blog! To see it in action, plus a great round-up of other articles and thought leadership looking forward to the future of email, click here.* The Black Friday emails are deleted, marketers’ email lists are checked twice, we pretty much know which senders […]

Poorly designed emails could cost you millions of dollars. But what does that really mean?

We partnered with the smart folks at Lab42 to research what people really think about marketing email. Do they like how they look on their preferred device? Do they prioritize the same design elements you do? If you’re not aligned with your recipients, you could end up sending unwanted, unsatisfying email. You know what that […]

Ready to get started?