# DMARC for Law Firms | Protect Client Trust & Privilege | SimpleDMARC

Law firms are prime targets for business email compromise. Attackers impersonate partners and associates to redirect trust account deposits, steal case information, and intercept privileged communications. SimpleDMARC prevents anyone from sending email as your firm's domain.

- **Of law firm cyberattacks involve email as the initial vector**: 73%
- **Of firms don't have DMARC at enforcement level**: 58%

### Meet ABA Cybersecurity Obligations

Protect your clients, trust accounts, and reputation — with enterprise-grade email authentication requiring zero technical expertise.

## Frequently Asked Questions

### Why are law firms targeted for business email compromise (BEC)?

Law firms handle high-value financial transactions (real estate closings, M&A deals, trust account distributions) and highly confidential information. Attackers impersonate partners to redirect closing deposits, intercept settlement funds, and steal privileged case information. A single successful BEC attack on a law firm's trust account can result in losses of $1M+.

### Does the ABA require law firms to implement DMARC?

The ABA doesn't specifically mandate DMARC, but Model Rule 1.6 requires lawyers to make 'reasonable efforts' to prevent unauthorized disclosure of client information. ABA Formal Opinion 477R extends this obligation to electronic communications. DMARC is increasingly considered a baseline 'reasonable effort' for email security. Many malpractice insurance carriers now ask about DMARC during applications.

### How does DMARC protect trust accounts?

Trust account fraud typically starts with a spoofed email from [partner@yourfirm.com](mailto:partner@yourfirm.com) instructing a staff member or client to wire funds to an attacker-controlled account. With DMARC at p=reject, this spoofed email never reaches the recipient — the receiving mail server checks your DMARC policy and rejects it. The fraudulent wire instruction is blocked before anyone sees it.

### Is SimpleDMARC difficult to set up without dedicated IT staff?

No. Many law firms don't have in-house IT teams, which is why SimpleDMARC uses a hosted approach. Setup takes under 5 minutes: your domain registrar or IT provider adds one CNAME record, and all DMARC management happens in our dashboard. No DNS expertise, no server infrastructure, and no ongoing technical maintenance required.

### Does SimpleDMARC access our client communications?

No. SimpleDMARC never sees, stores, or processes email content. We only process email authentication metadata — sender IP addresses, domain names, and SPF/DKIM pass/fail results. No client communications, case information, or privileged materials are accessed. This is critical for maintaining attorney-client privilege.

### How does DMARC help with cyber insurance requirements?

Cyber insurance carriers increasingly require email authentication controls as part of their underwriting process. Having DMARC at p=reject demonstrates proactive risk management and can result in lower premiums. SimpleDMARC provides exportable compliance reports that document your DMARC enforcement status for insurance applications and renewals.