Federal Risk and Authorization Management Program
FedRAMP establishes the security assessment, authorisation, and continuous monitoring framework for cloud products and services used by US federal agencies. FedRAMP incorporates NIST SP 800-53 controls and is directly influenced by DHS Binding Operational Directive 18-01, which mandated DMARC, STARTTLS, and SPF for all federal executive branch domains. Cloud service providers (CSPs) seeking FedRAMP authorisation must implement rigorous email authentication controls, making it one of the most demanding frameworks for email security.
| Protocol | Requirement | Details |
|---|---|---|
| SPF | Required | SPF is required under NIST SP 800-53 control SI-8 (Spam Protection) and BOD 18-01. All domains operated by FedRAMP-authorized CSPs must publish SPF records that restrict authorized senders. Non-sending domains must publish "v=spf1 -all". |
| DMARC | Required | DMARC with p=reject is required per BOD 18-01 and NIST SP 800-177. FedRAMP assessors verify DMARC enforcement during the initial authorization and continuous monitoring phases. Aggregate reporting (rua) must be configured. |
| DKIM | Required | DKIM is required under NIST SP 800-177 guidance incorporated into the FedRAMP baseline. CSPs must implement DKIM signing for all outbound email with minimum 2048-bit RSA keys. |
| SSL/TLS | Required | TLS 1.2 or higher is required under NIST SP 800-52 Rev. 2 and FedRAMP's SC-8 (Transmission Confidentiality and Integrity) control. TLS 1.0 and 1.1 are prohibited. FIPS 140-validated cryptographic modules are required for FedRAMP High baselines. |
| Security Headers | Required | Security headers are required under NIST SP 800-53 controls SC-28 (Protection of Information at Rest), SI-10 (Information Input Validation), and the FedRAMP configuration management baseline. CSPs must implement HSTS, CSP, and other security headers on all web applications. |
| DNSSEC | Required | DNSSEC is required under NIST SP 800-53 control SC-20 (Secure Name/Address Resolution Service) and SC-21 (Secure Name/Address Resolution Service - Recursive or Caching Resolver). All authoritative DNS zones must be signed with DNSSEC. |
Publish DMARC records with p=reject on all domains operated by the CSP, including non-sending domains. Configure rua reporting to a monitored address. This is a hard requirement per BOD 18-01 and FedRAMP assessors will verify compliance.
Publish SPF records with "-all" on all domains. Enable DKIM signing with 2048-bit RSA keys. Publish "v=spf1 -all" on all non-sending domains. Ensure SPF and DKIM alignment for DMARC pass.
Configure all endpoints with TLS 1.2 minimum. For FedRAMP High, use FIPS 140-2/140-3 validated cryptographic modules. Disable all legacy protocols and weak cipher suites. Deploy STARTTLS on mail servers.
Sign all DNS zones with DNSSEC per NIST SP 800-53 controls SC-20 and SC-21. This is particularly important for zones hosting SPF, DKIM, and DMARC records. Ensure DNSSEC validation is enabled on all recursive resolvers.
Implement HSTS (with includeSubDomains and preload), Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy on all web applications within the authorization boundary.
Set up automated monitoring for email authentication, TLS, and DNSSEC configurations. Any degradation must be tracked in the Plan of Action and Milestones (POA&M) and remediated within FedRAMP timelines. Monthly scanning reports support the continuous monitoring requirement.
Use Domain Security Scanner reports as evidence for your FedRAMP audit. Pro and Agency plans include PDF export for compliance documentation.
Run a free scan to see how your domain's email authentication measures up against FedRAMP requirements.
FedRAMP requires the full suite of email authentication: SPF with "-all", DKIM with 2048-bit keys, DMARC with p=reject, STARTTLS on mail servers, TLS 1.2+ on all endpoints, DNSSEC on all authoritative zones, and security headers on all web applications. These requirements come from NIST SP 800-53 controls and BOD 18-01. FedRAMP is one of the most demanding frameworks for email security.
DHS Binding Operational Directive 18-01 mandated DMARC (p=reject), STARTTLS, and SPF for all federal executive branch agency domains. Since FedRAMP-authorized cloud services handle federal data, they are expected to meet the same standards. FedRAMP assessors verify BOD 18-01 compliance as part of the authorization process, and non-compliance is tracked as a high-priority finding.
FedRAMP requires continuous monitoring. If email authentication configurations degrade (for example, a DMARC policy reverting from reject to none), the finding must be documented in the CSP's Plan of Action and Milestones (POA&M) and remediated within the prescribed timeline. Domain monitoring tools that alert on configuration changes are essential for meeting this requirement.