← Blog
State Governments Are 44 Points Behind Federal on DMARC Enforcement

By DMARCdrift Team

State Governments Are 44 Points Behind Federal on DMARC Enforcement

4 min readdmarcgovernmentresearch

Federal agencies are at 70% DMARC enforcement. State governments are at 26%. The same email technology, the same threat landscape, a 44-point gap. The difference is a binding directive issued in 2017.

A spoofed email from a state government portal (a benefits agency, tax authority, or DMV) will be delivered to the recipient's inbox in most states. Government impersonation is among the most effective phishing vectors: people respond to official-looking government mail in ways they don't respond to retail promotions.

The numbers

We checked all 50 state government portal domains in May 2026:

  • 26% at p=reject (13/50)
  • 76% have a DMARC record (38/50); deployment without enforcement
  • Federal .gov: ~70% at p=reject
  • Gap: 44 percentage points between state and federal enforcement

State by state

At p=reject (13 states): Alabama, Delaware, Hawaii, Louisiana, Maine, Michigan, Minnesota, Montana, Nebraska, North Carolina, Pennsylvania, Tennessee, West Virginia

At p=quarantine (not at full enforcement), 11 states: Arizona, Arkansas, Connecticut, Iowa (pct=75), Illinois (pct=75), Kentucky, Nevada, Ohio, Oregon, South Carolina, Utah

At p=none (monitoring only, spoofed mail delivered), 14 states: Alaska, California, Colorado, Idaho, Indiana, Maryland, Massachusetts, Mississippi, New Hampshire, North Dakota, South Dakota, Vermont, Virginia, Wisconsin

No DMARC record (6 states): Florida, Kansas, New Mexico, New York, Oklahoma, Wyoming

DNS timeout (inconclusive), 6 states: Georgia, Missouri, New Jersey, Rhode Island, Texas, Washington

Two of the largest states by population, California and New York, are either at p=none or have no record. Florida has no record. These three states alone represent roughly 80 million people receiving government communications from domains that can be freely impersonated.

Iowa and Illinois are at p=quarantine with pct=75, meaning 25% of failing messages bypass the policy. Three out of four spoofed government emails from those domains will be quarantined. One in four will be delivered.

Why federal agencies got ahead

CISA's Binding Operational Directive 18-01, issued in 2017, required all federal executive branch agencies to:

  1. Publish a DMARC record within 30 days
  2. Move to at least p=none within 90 days
  3. Work toward p=quarantine and p=reject

The result is visible in the data: federal agencies moved from near-zero enforcement to roughly 70% in the years following the mandate. The centralized coordination through OMB and CISA (which states don't have) accelerated the process.

Why states lag

No equivalent mandate. No state-level directive mirrors BOD 18-01. Some states have begun issuing similar guidance; most haven't. Without a binding requirement, email security competes with hundreds of other IT priorities.

Decentralized governance. State agencies within a single state often have independent IT departments, separate email systems, and their own procurement processes. The state portal domain may be managed by one agency while other agencies send email using the same root domain without central coordination.

Legacy infrastructure. State governments run some of the oldest email systems in production. Some agencies are still on on-premises Exchange deployments that predate modern DMARC tooling.

Budget and staffing constraints. State IT departments are chronically understaffed relative to the systems they manage. DMARC enforcement requires dedicated time for the sending-source audit, and that time often isn't available.

What the path forward looks like

CISA provides model guidance for state and local governments. NASCIO (National Association of State CIOs) has published DMARC recommendations. A few states have started issuing their own enforcement directives modeled on BOD 18-01.

The federal experience suggests mandates work. The 14 states at p=none have clearly published records and connected reporting; they've done the first half of the work. What's missing is the organizational directive to finish it.

Full state-by-state results are at the DMARC adoption research page. The DMARC checker shows any state agency domain's current policy.