You may have heard that the DHS mandated DMARC for all federal agencies last year. Many federal agencies are still working on it, despite the expired deadline.

But what about state governments? There has been no mandate for state governments.

We wanted to find out what states are doing (if anything) to protect their domains (and therefore their agencies, officials, and constituents). We examined the SPF and DMARC policies for each state’s official domain. The results were frighteningly poor.

UPDATE: Since this was originally posted, there have been a few changes in some states:




SPF Scores

Overall Scores

How States Can improve Their Email Security

The best way to secure a domain against phishing attacks is to implements a strict DMARC policy. Since DMARC relies on SPF and DKIM, it is important to set up SPF records that reflect the domain’s senders and use unique and secure DKIM keys for each sender. To learn more about DMARC, SPF, and DKIM, see our info pages about DMARC, SPF, and DKIM pages.

Fraudmarc can help

Fraudmarc’s intuitive tools let you manage and monitor a variety of authorized senders and DKIM selectors and provides free DMARC reports. Since Fraudmarc also uses SPF Compression℠, the number of DNS lookups needed to authenticate all of your authorized senders is minimized. Many of Fraudmarc’s tools are completely free for all to use.