Login.gov intends to publish a DMARC policy to tell email receivers to send reports to the vendor. When email providers receive email that purports to be From @login.gov, they will send information to the vendor selected by Login.gov's policy.

Email providers will:
-Send aggregate reports of how many messages passed or failed DMARC checks
-Send forensic reports only for fraudulent messages that failed authenticity checks.

These reports commonly include message headers and metadata, but not message content.

The Government is currently performing market research to determine industry capabilities in:

-The DMARC vendor receives these aggregate reports and forensic reports, and creates
analytics dashboards and performance over time
-Login.gov team members then can view these aggregate reports and forensic reports

All information flows from email providers to the DMARC vendor, so Login.gov is not sharing any additional information with third parties, only directing third parties in how they may share these reports. The aggregate reports do not contain any PII.

Forensic reports typically contain email headers, which can contain email addresses and
information about what email servers a message passed through. But these reports are only sent for messages that fail authenticity checks, which could happen if the message was truly fraudulent, or the email provider modified the message to invalidate the email signatures, or if Login.gov made a major programming error and was not correctly signing messages.

Interested vendors should respond to this request for information by:
- Emailing the contracting officer a written response at [email protected]
- Outlining their potential solution including technical details and pricing
- Providing their identifying information

This is a request for information only. Responders will be notified if/when the Government follows the request for information with a procurement action.