On October 16, 2017, the Department of Homeland Security issued Binding Operational Directive BOD-18-01 directing federal agencies to adopt new cybersecurity measures. One of these measures, DMARC, is intended to fight phishing. It is good to see the government addressing spearphishing.  However, this measure will quickly prove to be ineffective against spearphishing attacks. Why? Because, as the DMARC specification tells us, …DMARC can only be used to combat specific forms of exact-domain spoofing directly… DMARC does not attempt to solve all problems with spoofed or  otherwise fraudulent email.  In particular, it does not address the use of visually similar domain names ("cousin [...]