Sign in
  • Home
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Support
Request phishing analysis
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Get started for free
  • Support
  • Sign in
Check to see if you’re protected
☰
Check to see if you’re protected
Share this article
Related posts
  • Blog
    Research: Only 22 of the top 100 retailers are protected by DMARC
  • Blog
    DMARC authentication gets you the deliverability you deserve
  • Blog
    How vulnerable are U.S. election operations to email spoofing?
Valimail blog

Presidential campaigns reach email security milestone

Author: Dylan Tweney
vote 2020 buttons for election security research

The 2020 U.S. presidential election has reached a significant cybersecurity milestone. For the first time, more than half of the candidates for president have domains that are protected from spoofing.

Of the 15 candidates currently in the race (as listed by the New York Times), eight are protected by DMARC policies set to enforcement.

That leaves just seven unprotected domains, of which four have configured DMARC but have left it in a monitor-only mode (a policy of “none”). This is a good start, but monitor-only mode still allows messages to be delivered that appear to come from that campaign’s domain but which are not actually authorized by the campaign.

The remaining three have no DMARC configuration at all, so they are also completely vulnerable to impersonation by spoofed emails pretending to come from them.

Candidate Domain Status
Bennet michaelbennet.com ⛔️ No DMARC
Biden joebiden.com ✅ Protected by DMARC
Bloomberg mikebloomberg.com ✅ Protected by DMARC
Buttigieg peteforamerica.com ✅ Protected by DMARC
Delaney johndelaney.com ⚠️ Not enforced
Gabbard tulsi2020.com ✅ Protected by DMARC
Klobuchar amyklobuchar.com ✅ Protected by DMARC
Patrick devalpatrick2020.com ⚠️ Not enforced
Sanders berniesanders.com ⚠️ Not enforced
Steyer tomsteyer.com ✅ Protected by DMARC
Trump donaldjtrump.com ⚠️ Not enforced
Walsh joewalsh.org ⛔️ No DMARC
Warren elizabethwarren.com ✅ Protected by DMARC
Weld weld2020.org ⛔️ No DMARC
Yang www.yang2020.com ✅ Protected by DMARC

 

Note: The DMARC record for mikebloomberg.com is configured with an enforcement policy, but there is a problem with the underlying SPF record that could cause problems with security, visibility, and deliverability: It exceeds the limit of 10 DNS lookups specified in the SPF standard.

Why this matters

This milestone is a significant step forward in securing a component of the U.S. election infrastructure. When we last looked at the presidential field in May, 2019, there were 23 candidates, of which only three (just 13%) were protected by DMARC. At the time, 10 candidates’ domains didn’t have DMARC of any kind.

The progress on this front is significant, because when properly configured, DMARC at enforcement blocks one of the most devastating types of phishing attacks: Emails using the exact domain of the spoofed brand (or candidate) in the From field. If the content is well-crafted (as most fraudulent emails are in today’s threat landscape), these  phishing emails can be difficult or impossible to distinguish from legitimate campaign emails.

Exact-domain impersonations can be a threat in several ways:

  • Inbound hacking attempts. Malicious actors trying to gain access to a campaign’s digital infrastructure might impersonate a senior member of the campaign, or the campaign’s IT staff, with a message that appears to come “from” the domain and is sent to vulnerable members of the staff. Once the attacker has gained the target’s trust, they can leverage that trust to trick the recipient into handing over sensitive data, entering login data on a phishing website, opening attachments with malware, etc.
  • Outbound hacking attempts. Malicious actors might use the campaign’s domain to send messages to a recipient outside the campaign, hoping that the legitimacy of a campaign domain in the From field would help make their message seem more credible.

Targets for this kind of attack could include major donors or even smaller donors with emails that attempt to redirect campaign donations to the phisher’s own bank accounts.

  • Disinformation and reputation damage. Rather than hacking attempts, bad actors might try to impersonate the campaign with mass emails sent to U.S. citizens at large, delivering a message that the campaign would never assent to — thereby sowing confusion about the campaign’s true positions, or generating distrust in its platform altogether.

How DMARC helps

DMARC (Domain-based Message Authentication, Reporting, and Conformance) works together with two other email standards (SPF, or Sender Policy Framework, and DKIM, or DomainKeys Identified Mail) to give domain owners control over which senders are allowed to send messages “as” them.

Using these three standards, domain owners can specify exactly which mail servers and sending services are permitted to send email using their domain in the From field of their messages. For example, a campaign might want to use a cloud-based payroll service, which would need to send messages  to employees that would appear to come from the company itself (and would be validated and trusted accordingly).

Mail servers worldwide overwhelmingly support DMARC and will do checks on all inbound mail to see if the domain it appears to come from has configured DMARC. If the domain does have a DMARC record, the mail server will then check to see whether the incoming message authenticates (i.e. originates from a sender approved by the domain owner). If the message doesn’t authenticate, the receiving mail server will handle it according to the policy specified in the domain’s DMARC “p=” setting:

  • delete it (p=reject)
  • send it to a spam or junk folder (p=quarantine)
  • deliver it as normal (p=none)

The former two policies are known as “enforcement,” while the latter is “monitor mode.”

This is just the beginning

Campaign domains are showing much progress, but the rest of the election infrastructure remains vulnerable to digital attack on several fronts. Email is the primary vector for attack against all types of organizations, and its role in attacks against the U.S. election infrastructure has been well documented in both 2016 and 2018.

Unfortunately, election officials as well as the vendors of hardware and software used in elections are all still far too easy to impersonate. In short, email remains a weak link in election security. The first step in closing that gap is to implement DMARC authentication, just as the campaigns have done.

We aren’t the only ones making this recommendation. The Mobile, Messaging, and Malware Anti-Abuse Working Group (M3AAWG), a broad industry working group, recently recommended that election officials should take a few critical steps to protect elections. One of those steps: implement authentication for email domains.

As M3AAWG wrote, it’s important to “mitigate spear phishing and eavesdropping by securing email communications through signing and publishing email authentication records and enabling encryption in transit.”

Additionally, M3AAWG recommends implementing multi-factor authentication (MFA) across all systems and accounts, in order to mitigate the impact of stolen login credentials.

But DMARC is a critical step. It’s a real sign of progress when more than half of the presidential campaigns have not only published DMARC records, but have configured them with effective enforcement policies.

Back to blog
Published February 10, 2020
  • DMARC
  • election hacking
  • Research
Author: Dylan Tweney
Dylan Tweney is the VP of research and communications for Valimail. He is the founder of Tweney Media, a content-driven communications agency, whose clients have included Samsung, Korn Ferry International, Upwork, YL Ventures, Bloomberg Beta, and Valimail. Formerly, he was the editor-in-chief of VentureBeat and a senior editor at Wired.
Resources
Top retailers remain vulnerable to email brand spoofing
Learn more
Email security with Microsoft and Valimail
Learn more
Election email security
Learn more
Email fraud landscape, Summer 2020
Learn more
Preparing for BIMI: A Marketer’s Guide
Learn more
Latest news
Trump’s refusal to concede the election is creating an opening for cy...
Learn more
2020 General Election Results to Directly Impact Tech Industry
Learn more
Why Email Is Still an Election Day Disinformation Risk
Learn more
US elections are still vulnerable to email spoofing
Learn more
Security Gaps Persist, Report Warns, After U.S. Blames Iran In Election Sch...
Learn more
Press releases
Valimail Triples Customer Base, Becomes Top Global DMARC Provider in 2020
Learn more
Valimail: 2020 election infrastructure still vulnerable to email hackers
Learn more
Valimail Announces Selection by ASG for Anti-Phishing and BEC Protection
Learn more
Valimail DMARC Monitor and Valimail Enforce Now Available in the Microsoft ...
Learn more
Valimail Research Finds More Than 1 Million Domains Using Crucial Email Aut...
Learn more
Follow us
Contact us

P: 888.354.6179
E: info@valimail.com

Headquarters

180 Montgomery Street
20th Floor
San Francisco, CA 94104

Valimail Mountain Office

1550 Larimer Street
Suite 271
Denver, CO 80202

Request a full phishing analysis
© Valimail
  • Terms of use
  • Privacy Policy
  • Do not sell my personal information
  • Website terms of use
  • Phishing Analysis
  • Domain Checker
  • Products
  • Enforce
  • DMARC Monitor
  • Instant SPF
  • Amplify
  • Solutions
  • Anti-phishing
  • Brand protection
  • Compliance
  • Government
  • Marketing
  • Microsoft
  • Shadow IT
  • About
  • News + awards
  • Partners
  • Team
  • Careers
  • Industry leadership
  • Customer support
  • Learn
  • Resources
  • Blog
  • Customers