Twenty-Five Percent of Email "From" U.S. Federal Agencies is Fraudulent or High-Risk, Agari Finds

DHS Orders Agencies to Implement DMARC to Protect Citizens from Phishing and Fraud

SAN MATEO, Calif.--()--Agari, a leading cybersecurity company, today issued the Agari U.S. Federal Government DMARC Adoption report showing that 25 percent of email claiming to be from federal agencies is either fraudulent or otherwise unauthenticated. Among the 400 government domains protected by Agari, cybercriminals targeted 90 percent of them with deceptive emails that appear to come from a federal agency.

Federal agencies are vulnerable because only nine percent of domains have implemented the DMARC email authentication standard with a policy that blocks inauthentic emails. When fully implemented, DMARC (Domain-based Message Authentication, Reporting & Conformance) virtually eliminates deceptive emails that impersonate an agency domain. Agari found that nearly 82 percent of federal domains lack DMARC entirely, leaving their constituents unprotected from phishing and other forms of email attacks.

Recognizing the threat, the Department of Homeland Security (DHS) on Oct. 16 ordered all federal domains to implement DMARC. The order, "Binding Operational Directive 18-01," is a compulsory direction to all federal departments and agencies. They have 30 days to submit a plan of action, 90 days to implement at least the lowest level of DMARC (monitoring, or p=none), and one year to implement the highest level of DMARC (reject, which blocks all unauthenticated messages from delivery).

DMARC emerged in 2007 from a pilot program between PayPal and Yahoo! to eliminate phishing emails. As a founding member of DMARC, Agari has worked with the largest email providers (AOL, Comcast, Google, Microsoft and Yahoo!) to protect the receipt of email since January 2012. Agari will continue to take the lead in working with U.S. federal government agencies to implement DMARC, block phishing emails and restore trust in communication between government and its citizens.

"DMARC has proven incredibly effective at combating phishing across billions of emails daily," said Patrick Peterson, founder and executive chairman of Agari. "This DHS directive is an important step to protect our government, businesses and citizenry from cybercrime. We would like to recognize Agari's customers that pioneered DMARC in the federal government including the U.S. Senate, Health and Human Services, Customs and Border Protection, U.S. Census Bureau, Veterans Affairs and the U.S. Postal Service. We hope their leadership and experience serves as a resource for best practices among their government peers who are beginning this journey."

Agari U.S. Federal Government DMARC Adoption Report Overview

Agari analyzed the DMARC policies of more than 1,300 Federal domains using the Agari DMARC Lookup Tool. Key findings from "Agari U.S. Federal Government DMARC Adoption Report: DHS Mandates DMARC for Email Security" include:

The vast majority of federal agencies have failed to implement DMARC – Nearly 82 percent of Federal domains lack DMARC entirely. Only nine percent are preventing spoofing of their domain names by applying DMARC policies to quarantine or reject unauthenticated email. The remaining nine percent are using DMARC to monitor unauthenticated emails but are not blocking it from being sent.

Federal agency domains are heavily targeted by fraudsters – Of the 400 government domains Agari monitors, 90 percent were targeted by fraudulent or unauthorized emails between April and October 2017. Of the 336.4 million emails appearing to be sent from these domains during that period, 85.6 million (25.4 percent) were fraudulent or otherwise failed authentication.

DMARC black phishing and fraud – Providing a case study of an early adopter of DMARC, Agari has demonstrates how it prevented delivery of more than 100 million fraudulent email messages in 24 hours. Agari and DMARC protect more than 2 trillion emails per year, preventing more than 60 Billion deceptive emails from being delivered to inboxes.

About Agari

Agari, a leading cybersecurity company, protects people and businesses against cyber criminals who use false identities to commit fraud, steal information and undermine trust in digital business. The Agari Email Trust Platform is the industry's only artificial intelligence (AI) driven defense system that models authentic, trustworthy communications to protect humans from being deceived by cyberattacks such as phishing, ransomware and business email compromise (BEC). Some of the world's best-known companies—including six of the top 10 banks, the top five social networks, leaders in healthcare, shipping and cloud providers—trust Agari to recognize and block these attempts at digital deception in ways other security providers can't. Agari is a recipient of the JPMorgan Chase Innovation Award, and is recognized by Gartner as a Cool Vendor in Security and by Forbes as a Cloud 100 Rising Star. The company is backed by Alloy Ventures, Battery Ventures, First Round Capital, Greylock Partners, Norwest Venture Partners and Scale Venture Partners. Learn more at and follow us on Twitter @AgariInc.


Julie Seymour, 415-269-2606


Julie Seymour, 415-269-2606