Federal DMARC compliance spikes up

Royalty-free stock illustration ID: 110138069 by 3dreams 

More than six out of 10 federal domains are fully compliant with website and email security requirements laid out in a Department of Homeland Security directive released last year, while about three out of four are at least publishing reports that can provide more insight into spoofing attacks.

The numbers were released by cybersecurity firm Proofpoint the day before an Oct. 16, 2018, deadline for all federal agencies to implement the highest levels of domain-based message authentication, reporting and conformance (DMARC)  protections. They represent a marked improvement in federal cybersecurity even as the numbers show that agencies will come in well below total compliance. A January analysis by Proofpoint found that just 15 percent of federal domains were fully compliant.

"This is a significant achievement as many agencies did not have this initiative in their plans [or] budgets when the mandate was announced and DMARC implementation can be complex," Robert Holmes, vice president of email security at Proofpoint wrote in an Oct. 16 blog post.

According to Proofpoint's research, 62 percent of the 1,311 federal domains can now identify, quarantine and reject unauthorized government emails, while another 10.9 percent can identify suspicious emails but haven't set a policy to automatically reject them. About 26 percent of agency domains have not yet published DMARC records.

DMARC is one of several components of a binding operational directive issued by DHS in October 2017 that was designed to bolster baseline cybersecurity standards around federal websites and email. The tool is designed to authenticate legitimate federal communications and crack down on the use of fake or impersonated emails that look they're coming from official government accounts, something that Proofpoint claims happened in one out of every eight emails sent from .gov domains last year.

While the directive mandates full compliance from agencies by Oct. 16, DHS officials have said in the past that they lack any real means to punish those who miss the deadline and that a softer approach that shines a light on the problem has achieved substantial cybersecurity improvements across the federal government.

Some members of Congress like Sen. Ron Wyden (D-Ore.) have pushed DHS to go beyond the requirements listed in the directive and put in place plans to analyze and use the DMARC reports sent by agencies to gain additional insights into spoofing attacks.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.