US Agencies Sprint to Implement DMARC Ahead of Jan. 15 Deadline
DMARC, the security protocol now-mandated by the Department of Homeland Security, will now be in place across all government agencies. Will that be enough to stop hackers from impersonating government emails?
January 04, 2018 at 11:42 AM
4 minute read
U.S. Department of Homeland Security building in Washington, D.C. Photo by Diego M. Radzinschi/ALM.
U.S. government agencies are scrambling to implement Domain-based Message Authentication, Reporting, and Conformance (DMARC), a security protocol that can authenticate or reject the identity of email senders, ahead of a Jan. 15 deadline. The effort is part of a Department of Homeland Security (DHS) mandate issued last October requiring agencies using a .gov domain address to adopt two security protocols for web and email traffic.
The DMARC protocol is a way to cut down on email “spoofing,” where malicious users cloak their phishing attacks in an email address made to look like it's from known or authorized server.
Spoofing, a common type of phishing attack, is of particular concern for government agencies. Marcus Christian, partner at Mayer Brown, explained that spoofing attacks using .gov domain names can often convince recipients to divulge personal information because of the sense of authority invoked by government association.
“For many people who receive emails from people who look like they're coming from government agencies, there's a certain official nature it takes on, so people let their guard down,” he said.
DHS issued its binding following a request from Sen. Ron Wyden, D-Oregon, last July citing an increase in phishing attacks impersonating government agencies and the success of governmentwide DMARC implementation in the U.K.
Agencies have been working overtime to implement the protocol. Phishing security company Agari on Tuesday released a report noting that DMARC adoption among government agencies grew 13 percent between November and December last year.
Even so, government agencies and established security protocols aren't exactly a step ahead of cyberattackers. Last December, a German security researcher identified a set of vulnerabilities in email client applications that allows users to bypass anti-spoofing security protocols like DMARC.
Even without these vulnerabilities, DMARC is not a fail-safe method of ensuring hackers aren't imitating government agencies in phishing attacks. Christian explained that the protocol certainly helps email servers recognize when they're receiving falsified messages, but certainly not all. “Those emails would be caught more often. It's a way to screen out some of those emails,” he said.
“When one is looking at this, one should think this is a step forward, but it's not a panacea,” Christian said. “I think of this as one more approach to trying to combat cybercrime. In the broader scheme, it takes vigilance and persistence,” he later added.
Although government agencies routinely find themselves playing catch-up to the private sector in technology adoption, DMARC is one arena where they seem to be leading the way. Though many in the private sector use other security measures to avoiding phishing and spoofing attacks, a Federal Trade Commission Office of Technology Research and Investigation (OTech) study released last March found that only one-third use DMARC, and only 10 percent use it to its most secure setting (rejecting unauthenticated emails).
Christian noted, however, that government agencies should continue to look ahead to other safety measures they might be able to take against cybercriminals. “This DMARC approach, this isn't something that was invented last week or last year; this is something that's been around for more than a decade. As we come up with new approaches, it's important not only think about this thing but the next thing. The criminals are always thinking of ways to circumvent defenses,” he said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 16-48. It’s Comp Time Again: How To Crush Your Comp Memo
- 2'Religious Discrimination'?: 4th Circuit Revives Challenge to Employer Vaccine Mandate
- 3Fight Over Amicus-Funding Disclosure Surfaces in Google Play Appeal
- 4The Power of Student Prior Knowledge in Legal Education
- 5Chicago Cubs' IP Claim to Continue Against Wrigley View Rooftop, Judge Rules
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
