Implementing DMARC in the Federal Government

The key to eliminating phishing and safeguarding email communication.


The Problem

Email is the #1 way attackers target citizens and government employees.

Why it Works

Email lacks build-in authentication:
Attackers can easily spoof or impersonate anyone in your organization using free tools

Attackers need to be right just once: 
With billions of emails hitting government inboxes, odds are in the attacker's favor

Email gateways can't solve the problem:
Attackers rely on social engineering tactics and identity deception, not malicious content or URLs that traditional tools were built to detect


The Solution

DMARC functions like an ‘identity check’ for your agency. It prevents spammers and criminals from hijacking your valid organization domain names and brand for email.

What is DMARC?

DMARC (Domain-based Message Authentication Reporting & Conformance) is an open email authentication protocol, established in 2012 by organizations including Google, Microsoft, Agari, PayPal, and others to protect the email channel. DMARC is the best way for email senders and receivers to determine whether or not a given message is legitimately from the sender, and what to do if it isn’t.

Benefits of Deploying DMARC for Your Agency

Stop email phishing attacks using your agency’s reputation

Agencies reduce the likelihood that their domains and brand will be used in an attack.

Reduce account takeover risk

By preventing delivery of phishing and malware-laden messages directed at your employees or constituents, you can reduce the number of account takeovers.

Increase email deliverability

By deploying DMARC, you ensure that legitimate email from your agency gets delivered and is not blocked at the receiver.

Gain visibility into cyberattack risk

Do you know every third-party company that sends email on behalf of your agency? DMARC provides this critical visibility, allowing you to ensure that anyone sending on your behalf complies with email best practices.

The Federal Perspective

The Department of Homeland Security (DHS) has mandated adoption of DMARC on all government agency email domains.

DMARC (and email authentication) is evolving into a key metric that impacts the  FISMA scorecard against your agency.

NIST recommends using DMARC authentication tools to provide protection against phishing (SP 800-177, Trustworthy Email, Section 4.6).

DMARC Enforcement Policies


What is a DMARC Enforcement Policy?

When you set a DMARC policy for your agency you, as an email sender, are indicating that your messages are protected.
The policy tells a receiver what to do if one of the authentication methods in DMARC passes or fails.

How it Works
When emails are received by the mailbox provider, the receiver checks if DMARC has been activated for your domain. 



What Does a DMARC Policy Look Like?

Here’s a typical policy in DNS. Note that this domain is configured with a policy of ”reject”. 
DMARC record for


Steps to DMARC Implementation


How Do I Get Visibility and Reporting from DMARC?

Once your DMARC policy is implemented, you will start to receive thousands of reports every day, depending upon the number of emails your organization sends. Because it’s difficult to process the reports manually, you can work with a commercial vendor to display and process the data. Commercial software such as Agari DMARC Protection can help with DMARC policy creation and hosting, third-party sender identification and alignment, and ongoing visibility as you progress through your DMARC implementation. In fact, Fortra’s Agari DMARC Protection ensures companies reach Reject confidently and securely, boasting an enforcement rate of 78%.

See how Agari DMARC Protection automates DMARC email authentication
and enforcement for government agencies to prevent costly phishing attacks.