• by Jess Nelson , July 20, 2017

Democratic Senator Ron Wyden of Oregon sent an open letter to the Department of Homeland Security (DHS) this week calling on the U.S. government to adopt DMARC immediately to protect government agencies from phishing scams and email fraud.

“I write to ask you to take immediate steps to ensure that hackers cannot send emails that impersonate federal agencies,” begins Wyden’s letter. “Industry-standard technologies exist, and are already used throughout the private sector and even by a few federal agencies, which, if enabled, would make it significantly harder for fraudsters and foreign governments to impersonate federal agencies.” 

Wyden is calling for a government-wide implementation of DMARC, or Domain-based Message Authentication, Reporting and Conformance. DMARC is an email authentication, policy, and reporting protocol that builds on DKIM and SPF to further detect and prevent email spoofing. The proper implementation of DMARC can also significantly boost email deliverability rates because email service providers (ESPs) know those emails are trustworthy and likely not to have malicious intent.

“Phishers often take advantage of how easy it is to forge the 'From' address in emails, which is exactly what DMARC prevents,” explains Alexander Garcia-Tobar, CEO and co-founder of email security startup ValiMail, a company that specializes in email authentication and offers a solution that automatically configures and maintains the implementation of DMARC, SPF, and DKIM records.

"The FBI reports that impersonation attacks are rising in frequency and cost the U.S. billions each year,” says Garcia-Tobar. “It’s time for all U.S. commercial and government organizations to do their part and lock down their domains, enforce industry standards like DMARC, and prevent their own brands from being used to attack anyone on the Internet, including employees, customers, partners and innocent bystanders."

Although it is unknown whether DMARC could have prevented Russian interference in the United States 2016 presidential election, Garcia-Tobar says DMARC makes phishing much more difficult to achieve because hackers are restricted to using non-protected domain names. 

“We see from our customers' data that U.S. organizations and brands are frequent targets of impersonation (modern phishing) attempts from Russia,” says Garcia-Tobar. “We also know that Russian hackers impersonated a Kennedy School of Government professor to target U.S. think tanks in November. We know that hackers used emails that appeared to come from election vendor VR Systems to target U.S. elections officials earlier that year.”

Like many companies, VR Systems does not have a working DMARC record, according to ValiMail’s online DMARC checker.