The Department of Homeland Security’s Binding Operational Directive (BOD) 18-01 was introduced in October 2017 to federal, executive branch, departments, and agencies for purposes of safeguarding federal information and information systems.
Because this measure is a significant step toward protecting classified and important conversations and documents via email, all federal agencies are required to comply with DHS-developed directives. A term of endearment, “cyber hygiene” is paramount in user security. By implementing specific security standards adopted throughout the government, federal agencies “can ensure the integrity and confidentiality of internet-delivered data, minimize spam, and better protect users who might otherwise fall victim to a phishing email that appears to come from a government-owned system.”
To that point, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) allow a sending domain to effectively “watermark” its emails, making unauthorized emails (e.g., spam, phishing, spoofing) easy to detect. When an email is received that doesn’t pass an agency’s posted SPF/DKIM rules, DMARC tells a recipient what the domain owner would like done with the message.
Setting a “reject” DMARC policy provides the strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery. Additionally, DMARC reports provide a mechanism for an agency to be made aware of the source of an apparent forgery, information that wouldn’t typically be available otherwise. Multiple recipients can be defined for the receipt of DMARC reports, ensuring a wide net of protection.
Specifications of Directive
For purposes of this write-up, our focus is the following portions of Binding Operational Directive 18-01: II. | 1. | a. | i. | iii. | iv. The language associated with these aspects includes:
i. Within 90 days after issuance of this directive, configuring:
- All internet-facing mail servers to offer STARTTLS, and
- All second-level agency domains to have valid SPF/DMARC records, with at minimum a DMARC policy of “p=none” and at least one address defined as a recipient of aggregate and/or failure reports.
This verbiage necessitates all in-use domains to adopt at least a “p=none” DMARC policy, as well as selecting a minimum of one address for related aggregate and failure reports to be sent for review.
iii. Within 15 days of the establishment of centralized National Cybersecurity & Communications Integration (NCCIC) reporting location, adding the NCCIC as a recipient of DMARC aggregate reports.
This sentence requires the NCCIC platform to be designated as the major receiver of produced DMARC reports to analyze and interpret email delivery trends associated with governmental domains.
iv. Within one year after issuance of this directive, setting DMARC policy of “reject” for all second-level domains and mail-sending hosts.
The importance of this instruction benefits email delivery by ensuring no illegitimate messages are accepted into receiving inboxes. Setting a “reject” DMARC policy offers the strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery.
Regarding the private sector, BOD 18-01 is exciting regulation because it means the government wants all agencies to leverage DMARC for email delivery and protection against potential threats. The more DMARC becomes implemented and remains the gold standard in protecting company messages from fraud, online communication between businesses and customers will continue to improve and be safer.
Benefits of DMARC
The benefits of adopting DMARC for your business email communications are significant. Specifically, DMARC helps companies through:
- Improved email delivery – Sending email that’s DMARC compliant will improve email delivery to your customers and increase overall delivery rates.
- Email visibility – DMARC provides report visibility into ALL outbound emails sent “from” your domain and any 3rd-party providers you use (e.g., MailChimp, SendGrid, Marketo).
- Identifying Delivery Problems – DMARC also offers insight into email authentication issues with SPF and DKIM that impact email delivery.
- Preventing spoofing/phishing attacks – After proper implementation, DMARC will prevent fraudsters from targeting your customers with malicious email campaigns.
As you can see, for your business email to be as safeguarded and effective as possible, implementing DMARC is essential. Protecting your brand and online reputation will help grow your company, and the key to achieving your email potential is DMARC. As the government increases its efforts to secure both inbound and outbound messages with the DMARC protocol, the need for your business to follow suite is apparent. If the Pentagon entrusts its email in this manner, shouldn’t you do the same for your company? If you have any questions about next steps, MxToolbox has the answers.