Sign in
  • Home
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Support
Request phishing analysis
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Get started for free
  • Support
  • Sign in
Check to see if you’re protected
☰
Check to see if you’re protected
Share this article
Related posts
  • Blog
    Research: Only 22 of the top 100 retailers are protected by DMARC
  • Blog
    DMARC authentication gets you the deliverability you deserve
  • Blog
    How vulnerable are U.S. election operations to email spoofing?
Valimail blog

How vulnerable are states to election interference from spoofed email?

Author: Dylan Tweney
Closeup of a Vote by Mail envelope, official balloting material - business reply mail, USPS first class mail.

Valimail has been monitoring the usage of email authentication technologies in election infrastructure for several years now.

Our analysis shows that, at virtually every level of the American election infrastructure, there is massive vulnerability to email impersonation. This is due largely to the poor penetration of email authentication standards that can prevent spoofing: DMARC, SPF, and DKIM.

Next week, we’ll publish a detailed report on our findings. This week, we’re providing a preview showing some of the data from our upcoming report.

(Download the full report here: 2020 Election Infrastructure Remains Vulnerable to Email Hacking)

To get a bird’s-eye view of the state of email security leading up to the election, Valimail examined a set of 153 domains owned by U.S. states, including .gov and .us variants of state names and two-letter state abbreviations (newjersey.gov, ca.gov, oh.us, and so forth). These domains represent state governments at their highest levels, and in addition, are sometimes used (via subdomains) for county and local services. While these don’t exhaust the universe of state-owned domains, this list is a good proxy for how well states are doing to protect their “digital brands.”

Valimail analysis shows that these states are, in general, not doing much to protect their brands. Only 5 of these domains, or 3.3%, are protected from spoofing by DMARC that is correctly configured, and set to an enforcement policy (p=reject or p=quarantine): nj.gov, alabama.gov, wv.gov, missouri.gov, and al.gov.

(You can check these domains yourself by entering them into our DMARC checker, which provides an instant analysis of data publicly available in DNS for any domain on the internet.)

Another 34 domains (22.2%) have valid DMARC records but are not configured with an enforcement policy — they have policies in “monitor mode,” or p=none, which means that spoofed messages that appear to come from that domain are still likely to be delivered as normal.

Another 6 domains (3.9%) have DMARC records that are incorrectly configured. And the vast majority, 108 domains (70.6%) lack DMARC altogether.

While state governments often follow the federal government’s lead in deploying security technology, this is not the case here. Nearly 80% of federal government domains are protected by DMARC at enforcement, thanks to a 2017 order from the Department of Homeland Security mandating this technology. (One notable exception: Whitehouse.gov is still unprotected.) State governments have not yet prioritized this aspect of email security.

pie chart showing DMARC enforcement rates for US state domains

State domains also have a low rate of SPF usage. This older, better-understood standard is a widely understood marketing best practice, as it can help improve email deliverability. But as state governments are not marketing-driven organizations, it’s not surprising that penetration of this technology is shallower here.

pie chart showing SPF usage among state domains

The impact of this security oversight on the U.S. election is uncertain. In the U.S., most elections are administered at the local level, so state domains have a limited role to play in the election.

However, it’s not inconceivable to imagine a disinformation campaign aimed at suppressing voter turnout or sowing uncertainty about election results that utilized a state-owned domain. For example, an adversary might impersonate a message from a state government’s secretary of state, declaring that a certain candidate had won that state. For that reason, the vulnerability of these domains to being spoofed is a concern.

In fact, Microsoft just recently took down a massive malware network, called Trickbot, which was sending out malware-laden email that could have affected the election. Such phishing emails, if they impersonated a trusted sender like a state domain, would be even more effective than usual.

We’ll have more to report on this subject next week, so stay tuned for the second installment of our research.

And in the meantime, please be careful with any email you receive that appears to come from an unauthenticated state domain. It’s just possible that it may be a spoof.

Download the report
Back to blog
Published October 14, 2020
  • DMARC
  • election hacking
  • election security
  • Research
  • SPF
Author: Dylan Tweney
Dylan Tweney is the VP of research and communications for Valimail. He is the founder of Tweney Media, a content-driven communications agency, whose clients have included Samsung, Korn Ferry International, Upwork, YL Ventures, Bloomberg Beta, and Valimail. Formerly, he was the editor-in-chief of VentureBeat and a senior editor at Wired.
Resources
Email Fraud Landscape Spring 2021
Learn more
Top retailers remain vulnerable to email brand spoofing
Learn more
Email security with Microsoft and Valimail
Learn more
Election email security
Learn more
Email fraud landscape, Summer 2020
Learn more
Latest news
Trump’s refusal to concede the election is creating an opening for cy...
Learn more
2020 General Election Results to Directly Impact Tech Industry
Learn more
Why Email Is Still an Election Day Disinformation Risk
Learn more
US elections are still vulnerable to email spoofing
Learn more
Security Gaps Persist, Report Warns, After U.S. Blames Iran In Election Sch...
Learn more
Press releases
Valimail Report Reveals 3 Billion Spoofed Emails are Sent Every Day
Learn more
Valimail Triples Customer Base, Becomes Top Global DMARC Provider in 2020
Learn more
Valimail: 2020 election infrastructure still vulnerable to email hackers
Learn more
Valimail Announces Selection by ASG for Anti-Phishing and BEC Protection
Learn more
Valimail DMARC Monitor and Valimail Enforce Now Available in the Microsoft ...
Learn more
Follow us
Contact us

P: 888.354.6179
E: info@valimail.com

Headquarters

1942 Broadway St., Ste. 314C
Boulder, CO 80302

Request a full phishing analysis
© Valimail
  • Terms of use
  • Privacy Policy
  • Website terms of use
  • Do not sell my personal information
  • Phishing Analysis
  • Domain Checker
  • Products
  • Enforce
  • DMARC Monitor
  • Instant SPF
  • Amplify
  • Solutions
  • Anti-phishing
  • Brand protection
  • Compliance
  • Government
  • Marketing
  • Microsoft
  • Shadow IT
  • About
  • News + awards
  • Partners
  • Team
  • Careers
  • Industry leadership
  • Customer support
  • Learn
  • Resources
  • Blog
  • Customers
Subscribe to our newsletter

Get exclusive content on improving email security and deliverability from the experts at Valimail.

  • *
    I understand that I may proactively manage my preferences, or opt-out of Valimail communications at any time using the unsubscribe link provided in Valimail email communication. I confirm that I am over the age of 16. The information that you provide will be used in accordance with the terms of our Privacy Policy.
  • This field is for validation purposes and should be left unchanged.