State Governments Are 44 Points Behind Federal on DMARC Enforcement
Federal agencies are at 70% DMARC enforcement. State governments are at 26%. The same email technology, the same threat landscape, a 44-point gap. The difference is a binding directive issued in 2017.
A spoofed email from a state government portal (a benefits agency, tax authority, or DMV) will be delivered to the recipient's inbox in most states. Government impersonation is among the most effective phishing vectors: people respond to official-looking government mail in ways they don't respond to retail promotions.
The numbers
We checked all 50 state government portal domains in May 2026:
- 26% at
p=reject(13/50) - 76% have a DMARC record (38/50); deployment without enforcement
- Federal .gov: ~70% at
p=reject - Gap: 44 percentage points between state and federal enforcement
State by state
At p=reject (13 states): Alabama, Delaware, Hawaii, Louisiana, Maine, Michigan, Minnesota, Montana, Nebraska, North Carolina, Pennsylvania, Tennessee, West Virginia
At p=quarantine (not at full enforcement), 11 states: Arizona, Arkansas, Connecticut, Iowa (pct=75), Illinois (pct=75), Kentucky, Nevada, Ohio, Oregon, South Carolina, Utah
At p=none (monitoring only, spoofed mail delivered), 14 states: Alaska, California, Colorado, Idaho, Indiana, Maryland, Massachusetts, Mississippi, New Hampshire, North Dakota, South Dakota, Vermont, Virginia, Wisconsin
No DMARC record (6 states): Florida, Kansas, New Mexico, New York, Oklahoma, Wyoming
DNS timeout (inconclusive), 6 states: Georgia, Missouri, New Jersey, Rhode Island, Texas, Washington
Two of the largest states by population, California and New York, are either at p=none or have no record. Florida has no record. These three states alone represent roughly 80 million people receiving government communications from domains that can be freely impersonated.
Iowa and Illinois are at p=quarantine with pct=75, meaning 25% of failing messages bypass the policy. Three out of four spoofed government emails from those domains will be quarantined. One in four will be delivered.
Why federal agencies got ahead
CISA's Binding Operational Directive 18-01, issued in 2017, required all federal executive branch agencies to:
- Publish a DMARC record within 30 days
- Move to at least
p=nonewithin 90 days - Work toward
p=quarantineandp=reject
The result is visible in the data: federal agencies moved from near-zero enforcement to roughly 70% in the years following the mandate. The centralized coordination through OMB and CISA (which states don't have) accelerated the process.
Why states lag
No equivalent mandate. No state-level directive mirrors BOD 18-01. Some states have begun issuing similar guidance; most haven't. Without a binding requirement, email security competes with hundreds of other IT priorities.
Decentralized governance. State agencies within a single state often have independent IT departments, separate email systems, and their own procurement processes. The state portal domain may be managed by one agency while other agencies send email using the same root domain without central coordination.
Legacy infrastructure. State governments run some of the oldest email systems in production. Some agencies are still on on-premises Exchange deployments that predate modern DMARC tooling.
Budget and staffing constraints. State IT departments are chronically understaffed relative to the systems they manage. DMARC enforcement requires dedicated time for the sending-source audit, and that time often isn't available.
What the path forward looks like
CISA provides model guidance for state and local governments. NASCIO (National Association of State CIOs) has published DMARC recommendations. A few states have started issuing their own enforcement directives modeled on BOD 18-01.
The federal experience suggests mandates work. The 14 states at p=none have clearly published records and connected reporting; they've done the first half of the work. What's missing is the organizational directive to finish it.
Full state-by-state results are at the DMARC adoption research page. The DMARC checker shows any state agency domain's current policy.
