Nearly two months after a Department of Homeland Security deadline that all federal agencies implement a basic email security policy, one-third of agencies still have yet to implement that policy, according to recent data collected by Valimail.

DHS released their binding operational directive requiring agencies to use Domain-based Message Authentication, Reporting and Conformance, or DMARC, in October 2017, giving agencies until Jan. 15, 2018, to institute a p=none policy, which monitors but does not take any action on unauthorized emails sent through the agency’s server.

According to Jan. 16, 2018, Valimail data, only 54.7 percent of agencies met the initial DHS deadline. The new data brings that number up to 66 percent, but many agencies have yet to instate any DMARC policy less than a year away from an October 2018 DHS deadline that agencies move to a stricter, enforcement-based policy designated p=reject.

In advance of the second deadline, only 18 percent of all agencies have implemented enforcement-level DMARC, according to Valimail.

The research also found that only the following 14 agency domains (of 156 tested) have fully implemented enforcement-level policies:

  • African Development Foundation
  • Federal Reserve Board of Governors
  • Defense Nuclear Facilities Safety Board
  • Veterans Affairs
  • Federal Deposit Insurance Corporation
  • Millennium Challenge Corporation
  • Nuclear Regulatory Commission
  • Occupational Safety and Health Review Commission
  • Selective Service System
  • Social Security Administration
  • U.S. Holocaust Memorial Museum
  • U.S. Postal Service
  • Department of Justice

Even with the relatively low number of agencies at p=reject, the number of agencies adopting enforcement-level DMARC has increased by over 450 percent since DHS came out with its initial requirement in October 2017, indicating that the policy has made a marked difference in email security, even if not all agencies are on board yet.