You may have heard that the DHS mandated DMARC for all federal agencies last year. Many federal agencies are still working on it, despite the expired deadline. But what about state governments? There has been no mandate for state governments.We wanted to find out what states are doing (if anything) to protect their domains (and therefore their agencies, officials, and constituents). We examined the SPF and DMARC policies for each state’s official domain. The results were frighteningly poor.

UPDATE: Since this was originally posted, there have been a few changes in some states:
  • Montana improved its overall score from F to C by implementing DMARC!
  • Maine improved its overall score from F to C by implementing DMARC!
  • Oregon improved its score a little by working on its SPF record.
  • Iowa and Washington improved their SPF records slightly, but it didn't affect their overall scores.
  • Ohio and Nevada’s SPF records both got a little worse…
  • New York introduced a typo into its SPF record (and now it’s broken…)
  • Alaska's score is a little worse because its SPF record is now over the lookup limit...



  • Only 5 states have a DMARC policy at all
  • 100% of those using DMARC (only 5 states) is set to “none.”

SPF Scores

  • 11 states don’t have a record at all
  • 4 states have records that don’t provide any protection (they have a formatting error or use a permissive all term- for more information, see our What is SPF info page).
  • 6 states have really good SPF records.

Overall Scores

  • 45 states got F’s for email security
  • 1 state got a D for email security
  • 4 states got C’s for email security
  • It seems we need to send our representatives back to school!

How States Can improve Their Email Security

The best way to secure a domain against phishing attacks is to implements a strict DMARC policy. Since DMARC relies on SPF and DKIM, it is important to set up SPF records that reflect the domain's senders and use unique and secure DKIM keys for each sender. To learn more about DMARC, SPF, and DKIM, see our info pages about DMARC, SPF, and DKIM pages.

Fraudmarc can help

Fraudmarc’s intuitive tools let you manage and monitor a variety of authorized senders and DKIM selectors and provides free DMARC reports. Since Fraudmarc also uses SPF Compression℠, the number of DNS lookups needed to authenticate all of your authorized senders is minimized. Many of Fraudmarc's tools are completely free for all to use.