Nearly two months after a Department of Homeland Security deadline that all federal agencies implement a basic email security policy, one-third of agencies still have yet to implement that policy, according to recent data collected by Valimail.

DHS released their binding operational directive requiring agencies to use Domain-based Message Authentication, Reporting and Conformance, or DMARC, in October 2017, giving agencies until Jan. 15, 2018, to institute a p=none policy, which monitors but does not take any action on unauthorized emails sent through the agency’s server.

According to Jan. 16, 2018, Valimail data, only 54.7 percent of agencies met the initial DHS deadline. The new data brings that number up to 66 percent, but many agencies have yet to instate any DMARC policy less than a year away from an October 2018 DHS deadline that agencies move to a stricter, enforcement-based policy designated p=reject.

In advance of the second deadline, only 18 percent of all agencies have implemented enforcement-level DMARC, according to Valimail.

The research also found that only the following 14 agency domains (of 156 tested) have fully implemented enforcement-level policies:

African Development Foundation

Federal Reserve Board of Governors



Defense Nuclear Facilities Safety Board



Veterans Affairs



Federal Deposit Insurance Corporation



FTC.gov



Millennium Challenge Corporation



Nuclear Regulatory Commission



Occupational Safety and Health Review Commission



Selective Service System



Social Security Administration



U.S. Holocaust Memorial Museum



U.S. Postal Service



Department of Justice



Even with the relatively low number of agencies at p=reject, the number of agencies adopting enforcement-level DMARC has increased by over 450 percent since DHS came out with its initial requirement in October 2017, indicating that the policy has made a marked difference in email security, even if not all agencies are on board yet.

