Presidential campaigns reach email security milestone

The 2020 U.S. presidential election has reached a significant cybersecurity milestone. For the first time, more than half of the candidates for president have domains that are protected from spoofing.

Of the 15 candidates currently in the race (as listed by the New York Times), eight are protected by DMARC policies set to enforcement.

That leaves just seven unprotected domains, of which four have configured DMARC but have left it in a monitor-only mode (a policy of “none”). This is a good start, but monitor-only mode still allows messages to be delivered that appear to come from that campaign’s domain but which are not actually authorized by the campaign.

The remaining three have no DMARC configuration at all, so they are also completely vulnerable to impersonation by spoofed emails pretending to come from them.

Note: The DMARC record for mikebloomberg.com is configured with an enforcement policy, but there is a problem with the underlying SPF record that could cause problems with security, visibility, and deliverability: It exceeds the limit of 10 DNS lookups specified in the SPF standard.

Why this matters

This milestone is a significant step forward in securing a component of the U.S. election infrastructure. When we last looked at the presidential field in May, 2019, there were 23 candidates, of which only three (just 13%) were protected by DMARC. At the time, 10 candidates’ domains didn’t have DMARC of any kind.

The progress on this front is significant, because when properly configured, DMARC at enforcement blocks one of the most devastating types of phishing attacks: Emails using the exact domain of the spoofed brand (or candidate) in the From field. If the content is well-crafted (as most fraudulent emails are in today’s threat landscape), these  phishing emails can be difficult or impossible to distinguish from legitimate campaign emails.

Exact-domain impersonations can be a threat in several ways:

• Inbound hacking attempts. Malicious actors trying to gain access to a campaign’s digital infrastructure might impersonate a senior member of the campaign, or the campaign’s IT staff, with a message that appears to come “from” the domain and is sent to vulnerable members of the staff. Once the attacker has gained the target’s trust, they can leverage that trust to trick the recipient into handing over sensitive data, entering login data on a phishing website, opening attachments with malware, etc.
• Outbound hacking attempts. Malicious actors might use the campaign’s domain to send messages to a recipient outside the campaign, hoping that the legitimacy of a campaign domain in the From field would help make their message seem more credible.

Targets for this kind of attack could include major donors or even smaller donors with emails that attempt to redirect campaign donations to the phisher’s own bank accounts.

• Disinformation and reputation damage. Rather than hacking attempts, bad actors might try to impersonate the campaign with mass emails sent to U.S. citizens at large, delivering a message that the campaign would never assent to — thereby sowing confusion about the campaign’s true positions, or generating distrust in its platform altogether.

How DMARC helps

DMARC (Domain-based Message Authentication, Reporting, and Conformance) works together with two other email standards (SPF, or Sender Policy Framework, and DKIM, or DomainKeys Identified Mail) to give domain owners control over which senders are allowed to send messages “as” them.

Using these three standards, domain owners can specify exactly which mail servers and sending services are permitted to send email using their domain in the From field of their messages. For example, a campaign might want to use a cloud-based payroll service, which would need to send messages  to employees that would appear to come from the company itself (and would be validated and trusted accordingly).

Mail servers worldwide overwhelmingly support DMARC and will do checks on all inbound mail to see if the domain it appears to come from has configured DMARC. If the domain does have a DMARC record, the mail server will then check to see whether the incoming message authenticates (i.e. originates from a sender approved by the domain owner). If the message doesn’t authenticate, the receiving mail server will handle it according to the policy specified in the domain’s DMARC “p=” setting:

• delete it (p=reject)
• send it to a spam or junk folder (p=quarantine)
• deliver it as normal (p=none)

The former two policies are known as “enforcement,” while the latter is “monitor mode.”

This is just the beginning

Campaign domains are showing much progress, but the rest of the election infrastructure remains vulnerable to digital attack on several fronts. Email is the primary vector for attack against all types of organizations, and its role in attacks against the U.S. election infrastructure has been well documented in both 2016 and 2018.

Unfortunately, election officials as well as the vendors of hardware and software used in elections are all still far too easy to impersonate. In short, email remains a weak link in election security. The first step in closing that gap is to implement DMARC authentication, just as the campaigns have done.

We aren’t the only ones making this recommendation. The Mobile, Messaging, and Malware Anti-Abuse Working Group (M3AAWG), a broad industry working group, recently recommended that election officials should take a few critical steps to protect elections. One of those steps: implement authentication for email domains.

As M3AAWG wrote, it’s important to “mitigate spear phishing and eavesdropping by securing email communications through signing and publishing email authentication records and enabling encryption in transit.”

Additionally, M3AAWG recommends implementing multi-factor authentication (MFA) across all systems and accounts, in order to mitigate the impact of stolen login credentials.

But DMARC is a critical step. It’s a real sign of progress when more than half of the presidential campaigns have not only published DMARC records, but have configured them with effective enforcement policies.