Industry Trends

How Federal Agencies Can Use FortiMail to Comply with BOD-18-01

By Felipe Fernandez | October 30, 2017

On October 16th, the U.S. Department of Homeland Security (DHS) announced its intention to have all federal agencies revamp their email security protocol. The Binding Operational Directive (BOD-18-01) will require all federal agencies to deploy STARTTLS, Secure Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) within three months of the directive’s announcement. While having these email security features enabled is generally considered to be a cybersecurity best practice, many federal organizations do not currently have them in place. In fact, data shows that 82 percent of federal organizations do not use the DMARC protocol.

This directive is a concentrated effort to reduce email spoofing, phishing, and similar cyberattacks that proliferate through email. Email is a notorious attack vector for cybercriminals, with phishing emails (emails that appear to be from a trusted source) often containing malicious links or attachments infected with malware and ransomware. In 2016, 93 percent of phishing emails contained ransomware, demonstrating the hugely damaging financial, reputational, and operational effects that an insecure email server can have on public and private organizations.

How the DHS Directive Improves Email Security

This directive represents a marked step forward in promoting strong cyber hygiene throughout federal agencies. Here’s how the protocols specified by the DHS directive work to improve email security through encryption and rules to identify legitimate domains.


Having STARTTLS enabled allows for an insecure, plain text message to be encrypted and secured in transit using SSL or TLS. While this protocol does not protect against active malicious attacks such as phishing or malware attached to the email, the encrypted message will be protected from the view of passive attackers who might be able to view traffic. It is important to note that STARTTLS does not necessarily encrypt all email. Rather, it must be enabled by a receiving mail server.  

  • Email Authentication

BOD-18-01 refers to both SPF and DKIM under the umbrella of email authentication. These two protocols make it easier to identify spam and phishing emails. When a federal agency sends an email, it will be affiliated with a certain identifier. Emails that lack this identifier can then be easily distinguished as unauthorized, unsecured emails.


DMARC plays the next role in email authentication. Federal organizations that deploy DMARC will be able to set rules for what is to be done with email messages that do not comply with the SPF and DKIM identifier. For example, when the DMARC policy is set to reject, messages that do not comply with SPF and DKIM will be turned away before they are delivered. Thus, DMARC protects against domain spoofing.  

Complying with BOD-18-01 Using FortiMail

Within the next three months, it is expected that all federal agencies will have rolled out STARTTLS, SPF, DKIM, and DMARC capabilities within their email servers.

The FortiMail Secure Email Gateway (SEG) offers federal agencies the ability to meet these requirements quickly and seamlessly. FortiMail can be deployed as a hardware appliance, virtualized appliance, or cloud service. Rather than replacing any existing security infrastructure already in place, SEG can be easily deployed alongside these systems to augment security features and markedly improve the catch rate of malicious emails.

FortiMail fully supports DMARC, SPF, DKIM, and STARTTLS, as well as other email forgery protection features. The SEG keeps threats from infecting federal servers with comprehensive antispam, antivirus, and antimalware defenses. The behavior-based defenses include tracking IP reputation in real-time, as well as email signature analysis to capture and reject malicious mail before it enters the server.

Fortinet’s recommended email security solutions include an optional Sandboxing service or local appliance for the most effective and real-time defense against malware and zero-day email threats. FortiSandbox uses Content Pattern Recognition Language (CPRL) pre-filtering to detect over 50,000 iterations of malicious code, as well as detecting and stopping malware and ransomware specifically designed to detect and evade sandbox environments. If suspicious code is detected, the Sandbox will entirely replicate the malicious code seeking to enter the network in real-time. If malware is discovered, FortiSandbox disseminates a signature to the rest of the network defenses to block similar attacks at different entryways. This dynamic intelligence sharing provides comprehensive security across closed and traditional networks.  

In addition to preventing malicious emails from entering federal agency servers, FortiMail also secures outgoing email, including the ability to monitor for sensitive content or regulatory violations and apply security policies based on that. FortiMail employs data loss prevention features and identity-based encryption to meet security compliance regulations and secure sensitive data communicated over email.

Final Thoughts 

This directive from the Department of Homeland Security aims to secure federal agency email servers from malicious emails, which is one of the top attack vectors exploited by cybercriminals. The fast turnaround they are requesting will require agencies to implement solutions that can be deployed seamlessly alongside existing systems while incorporating STARTTL and DMARC email authentication features. The FortiMail Secure Email Gateway offers easy deployment with these features, along with additional comprehensive email security features.

If you would like additional information about complying with BOD-18-01, please contact

Learn more about Fortinet Federal and its solutions for Federal agencies.