Skip to main content

Domain Confessions #2

The Intelligence Agency That Chose to Watch

Published March 19, 2026 · All data from public DNS records · Independently verifiable

In October 2017, the Department of Homeland Security issued Binding Operational Directive 18-01, requiring every federal executive branch agency to implement DMARC with a policy of p=reject within 90 days.

Eight years later, in a survey of 13 major federal agencies and intelligence organizations, every agency has complied. The NSA, the FBI, the State Department, the Secret Service, CISA itself — all at p=reject.

Every agency in our survey except two: the Central Intelligence Agency and the Office of the Director of National Intelligence.

Before you conclude they failed, look at what they are doing.

What a Compliance Scanner Would Tell You

Every automated compliance tool on the planet flags cia.gov the same way: DMARC policy not set to reject. Non-compliant with BOD 18-01. Medium or high severity. Red badge. Failed.

And if you stopped there — if you took that at face value and moved on — you would be making the same mistake that most of the security industry makes every day. You would be checking a box without reading the record.

Read the Record

Here is the CIA’s actual DMARC record, pulled from public DNS on March 19, 2026:

Host: _dmarc.cia.gov
Record: v=DMARC1; p=quarantine; sp=quarantine; pct=100;
  rua=mailto:demarcreports@uce.cia.gov;
  ruf=mailto:demarcfailures@uce.cia.gov;
  ri=86400; aspf=s; adkim=s; fo=1

Now read it slowly. This is not a misconfiguration. This is a configuration.

  • p=quarantine — Spoofed messages are not rejected at the SMTP layer. They are quarantined. The receiving mail server still processes them.
  • ruf=mailto:demarcfailures@uce.cia.govForensic failure reports enabled. Every authentication failure generates a detailed report sent directly to CIA. Most organizations disable ruf because of privacy concerns. CIA wants it.
  • fo=1 — Generate a forensic report if any authentication mechanism fails. Not just when all fail. Maximum forensic coverage.
  • aspf=s; adkim=sStrict SPF and DKIM alignment. This is harder than the default relaxed mode. More messages will fail alignment. More messages failing alignment means more forensic reports generated.
  • pct=100 — Full coverage. No sampling. Every message is evaluated.
  • ri=86400 — Aggregate reports every 24 hours. Daily intelligence feed.

The strictest possible alignment settings. Forensic reports on any failure. Full coverage. And then — quarantine instead of reject.

This configuration maximizes the telemetry about who is attempting to spoof cia.gov.

They Are Not Alone

We surveyed DMARC records across 13 federal agencies and intelligence organizations. Here is what we found:

DMARC posture survey of 13 federal agencies and intelligence organizations, March 19, 2026. Highlighted rows indicate agencies at quarantine.
Agency Policy Forensic Reports fo= Alignment Core Mission
CIA quarantine ruf= yes fo=1 Strict (s/s) Intelligence Collection
ODNI quarantine ruf= yes fo=1 Relaxed (r/r) IC Oversight
NSA reject ruf= yes fo=1 SIGINT / Cyber Defense
FBI reject ruf= yes Law Enforcement
DHS reject ruf= yes Homeland Security
Treasury reject ruf= yes fo=1 Financial
CISA reject no ruf Cyber Defense (authored BOD 18-01)
State reject no ruf Diplomacy
Defense reject no ruf fo=1 Military
DIA reject no ruf fo=1 Defense Intelligence
Secret Service reject no ruf Protection / Financial Crimes
NGA reject no ruf Geospatial Intelligence
NRO reject no ruf Satellite Reconnaissance

Of the 13 agencies surveyed, two are at quarantine. Both are intelligence collection organizations. Every other agency in our sample — including agencies with their own intelligence mandates (NSA, DIA, NGA, NRO) — has moved to reject.

The NSA is particularly instructive: they enforce and collect. p=reject with ruf= and fo=1. Their dual mandate (SIGINT collection and cyber defense via CSS/CNMF) is reflected in a configuration that rejects spoofed mail but still harvests forensic intelligence about the attempts. But the CIA and ODNI chose differently.

The Operational Security Perspective

We are not inside the CIA. We cannot confirm intent. What we can do is read public DNS records and observe what the configuration does.

Here is what p=quarantine does that p=reject does not:

  • With p=reject, the receiving mail server drops the message at the SMTP level. The message is never processed. Some receiving servers may not generate forensic reports for rejected messages — the transaction ends before the data that populates a forensic report is fully available.
  • With p=quarantine, the receiving mail server accepts the message, processes it, and moves it to quarantine (spam/junk). The message is processed far enough for the receiver to generate a detailed forensic report including headers, alignment results, and authentication outcomes.

If your core mission is to understand who is attempting to impersonate your domain, what infrastructure they are using, and how their operations evolve — quarantine preserves that visibility. Reject can reduce it.

Combine this with strict alignment (aspf=s; adkim=s), which is harder than the default and causes more messages to fail alignment, and fo=1, which generates forensic reports on any single mechanism failure, and the result is a configuration optimized for maximum forensic intelligence collection.

The SPF Question

CIA’s SPF record is v=spf1 mx -all — the tightest possible configuration. Only their own mail servers are authorized; everything else is a hard fail. A reasonable question arises: RFC 7489 notes that -all can cause some receiving servers to reject messages during the SMTP transaction, before DKIM is evaluated and before DMARC can assess the result. If CIA depends on DMARC forensic reports, does -all break that?

In practice, no. DMARC forensic reports are generated by receiving mail servers — Gmail, Microsoft 365, Yahoo, and other major providers that handle the vast majority of global email. These modern implementations evaluate DMARC fully (including DKIM) before making a disposition decision, regardless of the SPF result. The receivers that might reject prematurely on -all are typically older or custom SMTP implementations that would not generate DMARC forensic reports in any case.

The result: mx -all combined with p=quarantine and strict alignment creates a layered posture. SPF provides the tightest possible sender authorization. DMARC provides the monitoring layer that captures forensic intelligence about authentication failures. The two mechanisms complement rather than conflict — the -all hardens the perimeter while quarantine preserves the visibility window with the receivers that matter.

The Legal Context

BOD 18-01 applies to federal executive branch agencies. The CIA operates under unique presidential authorities established by the National Security Act of 1947 and Executive Order 12333. Whether BOD 18-01 applies to the CIA in the same way it applies to other executive agencies is a question of legal authority, not technical compliance. The CIA reports directly to the President and has operational authorities that other agencies do not.

ODNI, as the coordinator of the entire Intelligence Community, occupies a similar position of authority over intelligence operations.

How I Got Here

In 2020, when I started building DNS Tool, one of the first things I did was pull the DNS records of government agencies. My reasoning was simple: the CIA is a national intelligence agency. They have to be good at security. If I can learn from their configurations, I should.

So I started investigating. Everything I found that looked like best practice, I implemented on my own domains. SPF hard fail. DMARC reject. DNSSEC. CAA. MTA-STS. I modeled my security posture after the agencies that take this seriously.

Years later, when I built the ICSAE — the Intelligence Compliance and Standards Assessment Engine — the engine flagged cia.gov for not having DMARC reject. And my first reaction was the same as anyone’s: “Even the CIA messed this up?”

But I sat with it. I looked at the full record. And it hit me. The strict alignment. The forensic reports. The report-on-any-failure flag. This is not a misconfiguration. This is a posture. They are the Central Intelligence Agency. Their directive — their reason for existing — is intelligence collection. Of course they want to watch.

The lesson I took from this changed how I think about compliance: a rigid checklist that stamps “FAIL” on a deliberately chosen security posture is not doing security analysis. It is doing checkbox validation. And those are very different things.

— Carey James, Founder · DNS Tool

The Lesson for Every Domain Owner

We are not suggesting that you weaken your DMARC policy. For the vast majority of domains, p=reject is the correct posture. It protects your brand, your users, and your reputation.

What we are suggesting is this:

  1. Read the record, not just the badge. A compliance scanner that says “FAIL” is giving you a data point, not a conclusion. The conclusion requires context.
  2. Understand the tradeoff. Enforcement protects. Monitoring reveals. Both have value. The question is which serves your mission.
  3. Understand the forensic reporting landscape. The ruf= tag requests forensic failure reports, and the agencies that are serious about understanding their threat landscape enable it. However, RFC 7489 §7.3 warns that forensic reports can expose PII, and major consumer mailbox providers — Google, Microsoft, and Yahoo — do not honor ruf= requests. The DMARCbis draft has formally removed ruf= from the specification. For the CIA, this limitation may matter less: intelligence agencies communicate with government, military, and contractor mail systems that do generate forensic reports — and those are exactly the senders they want telemetry about. The lesson is contextual: ruf= is not universally effective, but it is not universally dead either. Its value depends on who sends mail to your domain.
  4. Strict alignment is underused. aspf=s; adkim=s is harder to configure correctly, but it eliminates ambiguity. If the agencies that handle classified information use strict alignment, it is worth your consideration.

Why This Matters for DNS Tool

This investigation is why we built the ICSAE — Intelligence Compliance and Standards Assessment Engine. A rigid compliance checker would flag CIA as “failed” and move on. Our engine is designed to report both axes:

  • Normative result: Does the record meet the stated standard? (In this case: no, per BOD 18-01.)
  • Contextual interpretation: Is there evidence that the configuration is deliberate? (In this case: the combination of strict alignment, forensic reporting, and full-coverage monitoring is consistent with a telemetry-optimized posture.)

Both answers are true simultaneously. The record does not meet BOD 18-01 requirements. And the record is configured in a way that is consistent with deliberate intelligence collection. These are not contradictory statements — they are two dimensions of the same observation.

That is what intelligence analysis looks like. Not a checkbox. A calibrated assessment with cited evidence and stated confidence.

Verify It Yourself

Every observation in this case study is derived from public DNS records. You can reproduce every finding with standard tools:

# CIA DMARC record
dig TXT _dmarc.cia.gov +short

# ODNI DMARC record
dig TXT _dmarc.dni.gov +short

# NSA (reject + forensic reports)
dig TXT _dmarc.nsa.gov +short

# FBI
dig TXT _dmarc.fbi.gov +short

# CISA (authored BOD 18-01)
dig TXT _dmarc.cisa.gov +short

# Compare any agency
dig TXT _dmarc.[agency].gov +short

DNS records are public by design. The Domain Name System is an open, distributed, queryable database. That is not an accident. It is the architecture.

References

  • DHS Binding Operational Directive 18-01, “Enhance Email and Web Security,” October 16, 2017. cisa.gov/news-events/directives/bod-18-01
  • Kucherawy, M. and Zwicky, E., “Domain-based Message Authentication, Reporting, and Conformance (DMARC),” RFC 7489 (Informational, March 2015). datatracker.ietf.org/doc/html/rfc7489
  • Kitterman, S., “Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1,” RFC 7208 (Proposed Standard, April 2014). datatracker.ietf.org/doc/html/rfc7208
  • National Security Act of 1947, 50 U.S.C. §§ 3001–3234.
  • Executive Order 12333, “United States Intelligence Activities,” December 4, 1981 (as amended).
  • draft-ietf-dmarc-dmarcbis, “Domain-based Message Authentication, Reporting, and Conformance (DMARC),” IETF Working Group Draft. datatracker.ietf.org/doc/draft-ietf-dmarc-dmarcbis
Scan Your Domain Our Methodology Domain Confessions #1
Straight talk about your data.

We use two cookies, both essential:

  • _csrf — Prevents cross-site request forgery. Required for form submissions. Security-only.
  • _dns_session — Only exists if you choose to sign in. No account required to use DNS Tool.

We log your IP address for two reasons: rate limiting (so nobody abuses the service) and security (identifying malicious actors and complying with legal obligations). We check source geography for analysis accuracy — DNS responses vary by region, and knowing which resolver answered from where makes the science better.

No tracking cookies. No analytics cookies. No ad networks. No data brokers. Our code is open-core — the application framework is publicly available under BUSL-1.1 with timed Apache-2.0 conversion. Verify it yourself.

If you create an account and want out, account deletion removes your login and scan history. Public domain analyses remain available because they contain only public DNS records, already hashed. Full details: Privacy Policy.