BOD 18-01 DMARC mandate and requirements explained

The Binding Operational Directive (BOD) 18-01, released by the Department of Homeland Security (DHS) in October 2017, mandates federal agencies to enhance their email and web security protocols. A key part of this is the required configuration of Domain-based Message Authentication, Reporting, and Conformance (DMARC) to combat email spoofing and phishing attacks.

At Sendmarc, we make DMARC management effortless.

Book a demo
Free trial

Key DMARC requirements under BOD 18-01

DMARC configuration timeline

  • In 90 days: Agencies must ensure that all internet-facing email servers offer START Transport Layer Security (TLS) and that second-level domains have valid Sender Policy Framework (SPF) and DMARC records. The DMARC policy must be set to p=none at minimum, and organizations should have at least one address set to receive aggregate and/or failure reports.
  • In one year: Agencies need to adopt a DMARC policy of p=reject for all second-level domains and email-sending hosts, enhancing the chance that email servers reject unauthenticated messages.

Benefits of a p=reject policy

  • Enhanced protection: Setting a DMARC policy to p=reject provides the strongest defense against spoofed emails, increasing the likelihood that unauthenticated messages are blocked before reaching recipients.
  • Protected reputation: Implementing a p=reject policy helps maintain the integrity of a domain – by reducing unauthorized use, it safeguards your organization’s reputation and trustworthiness.
  • Improved deliverability: A strict DMARC policy like p=reject can enhance the deliverability of emails by showing ISPs that a domain meets specific authentication standards, increasing the likelihood that emails are accepted and correctly classified.

Additional security measures

  • Disable vulnerable protocols: Agencies must disable older protocols such as Secure Sockets Layer (SSL) v2, SSL v3, and weak ciphers like Triple Data Encryption Standard (3DES) and Rivest Cipher 4 (RC4) on email servers to protect against known vulnerabilities.
  • Include the NCICC in reporting: All second-level agency domains must add the National Cybersecurity and Communications Integration Center (NCCIC) as a recipient of their DMARC aggregate reports.

By meeting the BOD 18-01 requirements and implementing strong DMARC policies, organizations can strengthen their defenses against email-based threats and enhance the authenticity and integrity of communications.

For more details on the topic, visit the official CISA page on BOD 18-01, or if you’re interested in learning more about DMARC, check out our solution.

Book a demo
Free trial

Resources

DMARC compliance

Related blog articles

Sendmarc logo
Sendmarc Soc2 Compliance badge
certification badge for ISO/IEC 27001:2022
G2 High Performer Badge - Winter 2025

How secure is your brand name from email scammers?

If you’re at risk of impersonation, one of our experts will be in touch to assist.

Linkedin-in Youtube X-twitter Facebook-f

Platform & Services

Company

Platform & Services

Resources