U.S. Presidential campaigns are still vulnerable to spoofing, an analysis by Valimail has found. However, they're making progress.
Of the 23 candidates listed in the New York Times’ overview of 2020 Presidential candidates, Valimail found that about half — 12 candidates’ primary domains — were not using DMARC, the key standard used to prevent spoofing of a domain Another 8 candidates’ domains have published DMARC records, but have not yet configured those records to prevent fake emails from being delivered. These domains are in “monitor-only” mode (with a policy setting of p=none), which may give the domain owners visibility into who is using their domains to send email, but does not actually block the fakes.
Three candidates — Elizabeth Warren, Joe Biden, and Tulsi Gabbard — have DMARC records that are correctly configured and set to a policy of enforcement, which directs receiving mail servers to take action on any messages that fail authentication (either delete them, or put them into the spam folder).
In fact, all three of these have set their DMARC policies to p=reject, the strongest setting, which instructs receiving mail servers to delete fake email entirely.
Why Authentication Matters
This rate of protection is not high — 20 out of 23 campaigns can still easily be impersonated — but the rates of DMARC usage and enforcement are both a significant improvement over 2016, when no candidates were using the standard, and over 2018, when just a very few were.
This is a significant shift that signals a more widespread recognition of the importance of stopping fake email.
That’s because attackers can use impersonation emails to attack the stable functioning of American democracy in at least two ways:
- Spear-phishing attacks directed at the campaigns themselves. These are much more effective when they appear to come “From” the campaign itself.
- Disinformation campaigns directed at voters, supporters, or the media. These email campaigns could seek to discredit a candidate by disseminating emails that appear to come from the campaign, but which are actually counter to the campaign’s true message.
The data on these campaigns’ settings is publicly accessible in DNS. We are publishing our scorecard here in full transparency, with links to verify the DMARC status of each domain. It’s true there’s been some disagreement on the numbers, but we think the facts speak for themselves. Feel free to check our work.
For each candidate’s domain, the third column here shows their DMARC status, and is linked to a page that shows the DMARC status in detail using Valimail’s domain checker. For example, to check the DMARC status of elizabethwarren.com, the Valimail domain checker URL is https://www.valimail.com/domain-checker/#/elizabethwarren.com.
Our Offer to Campaigns
As we first announced in August 2018, Valimail is offering to help any national candidate’s domain achieve protection from email impersonation, free of charge.
We are a FedRAMP-authorized service provider used by five different U.S. government agencies and dozens of private-sector enterprises.
For the 2020 election campaign, we are once again offering our service free of charge to national presidential campaigns, because we believe that American democracy deserves the ability to function free of phishing, impersonation, and email hacking.
It takes about 5 minutes to configure a domain analysis, and in 1-2 weeks you can see exactly who is sending email using your domain — and stop the bad guys. Contact email@example.com if you represent a presidential campaign (or the DNC or RNC) and would like to take advantage of this pro-bono offer.