The feds are deploying DMARC


The US National Cybersecurity Assessments & Technical Services Team have issued a mandate on web and email security, including TLS+HSTS for web servers, and STARTTLS+SPF+DKIM+DMARC for email.
It’s … pretty decent for a brief, public requirements doc. It’s compatible with a prudent rollout of email authentication.

  • Set up a centralized reporting repository for DMARC failure and aggregate reports.
  • Within 90 days, turn on opportunistic TLS, deploy SPF records, deploy DKIM and set up DMARC with p=none and an email address for reporting.
  • Within 120 days, disable weak TLS ciphers.
  • Within one year, migrate to p=reject.

The TLS requirements are sensible, and should be easy enough to roll out – and there’s likely enough time to work with vendors when it inevitably turns out that some servers can’t comply.
Best, it allows for a period of up to nine months of sending email with DMARC in monitoring-only mode with p=none. That, combined with a centralized repository for DMARC reports means that they should have enough visibility into issues to be able to resolve them before migrating to p=reject.
It all suggests a more realistic approach to DMARC timescales and issue monitoring during rollout than many organizations have shown.
They also have one of the clearer layman introductions to email authentication I’ve seen at
Much of the content is well worth borrowing if you’re planning your own authentication upgrades; it’s all released CC0 / public domain (and the markdown source is at github).

About the author

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By steve

Recent Posts


Follow Us