State and local governments are starting to make progress–albeit slowly–on adopting latest-generation email authentication protocols.

According to a Dec. 11 report from Valimail, only 5 percent of state and local governments are taking the initial steps to deploy the Domain-based Message Authentication, Reporting, and Conformance (DMARC) authentication standard, an email authentication protocol that verifies the authenticity of an email’s sender in order to prevent spoofing and phishing.

However, “no top-level state domain (e.g.,, or has yet implemented DMARC with an enforcement policy,” Valimail said.

“Of the groups we track in our quarterly reports, [state and local domains are] among the lowest adoption rates we’ve seen, the next closest being global media companies at 15 percent,” the report said.

While adoption is low on the state and local level, the Department of Homeland Security issued a Binding Operational Directive (BOD) requiring Federal agencies to adopt the protocol. While the majority of Federal agencies were able to deploy DMARC in less than a year, Valimail did note that there are three times as many state and local domains as there are Federal ones and despite that, Valimail remained confident that the protocol could–and should–be deployed quickly.

“While [the BOD] did not apply to state or local government entities, they have the same opportunity available: implement email authentication and get increased visibility and protection for their domains,” the report said. “And since state and local governments are responsible for critical infrastructure, voting systems, local businesses, and more, citizens should be afforded the same trusted email communications they can expect from the Federal government.”

In its study, Valimail found that 220 of 4,273 state and local .gov domains–roughly 5 percent–have deployed DMARC. The report also noted that only 25 local .gov domains have set their DMARC protocol to reject spoofed emails. Valimail notes that this leaves “99.4 percent [of domains] vulnerable to impersonation.”

Annapolis, Md.; Sarasota, Fla.; East Hartford, Conn.; El Paso, Texas; Gunnison, Colo.; and Los Gatos, Calif. are among the government domains that have deployed DMARC. However, the report noted that “no top-level state domain (e.g.,, or has yet implemented DMARC with an enforcement policy.”

“This research shows that state and local governments are at the beginning of their journey toward authenticated email that can be trusted by citizens and government employees alike,” said Alexander García-Tobar, CEO and co-founder of Valimail, a provider of DMARC email authentication. “The good news is that this journey can be completed rapidly, economically, and effectively, as the Federal government has shown.”

Read More About
Kate Polit
Kate Polit
Kate Polit is MeriTalk SLG's Assistant Copy & Production Editor, covering Cybersecurity, Education, Homeland Security, Veterans Affairs