Sign in
  • Home
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Support
Request phishing analysis
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Get started for free
  • Support
  • Sign in
Check to see if you’re protected
☰
Check to see if you’re protected
Share this article
Related posts
  • Blog
    Research: Only 22 of the top 100 retailers are protected by DMARC
  • Blog
    DMARC authentication gets you the deliverability you deserve
  • Blog
    How to use DMARC to help you implement DMARC
Valimail blog

How vulnerable are U.S. election operations to email spoofing?

Author: Dylan Tweney
photo showing a row of voters standing at voting booths

This post is an excerpt from the Valimail research report, 2020 Election Infrastructure Remains Vulnerable to Email Hacking, which was released last week — receiving coverage on NPR and elsewhere. 

U.S. elections happen largely at the local level, with elections administered by local boards of elections or registrars of voters. Those elections are usually conducted with voting and tabulation equipment sourced from a small number of manufacturers whose technologies have been vetted and approved by the Election Assistance Commission.

To check the email security of these organizations, Valimail compiled two lists. One represents domains used by the three most populous counties in every state, a list of 187 domains that we last examined almost a year ago, noting that email security remains a weak link in election infrastructure. The second is a list of domains used by the eight election systems manufacturers approved by the EAC.

For the top counties in the U.S., the picture is only slightly better than we found in 2019. Today, 7% of the country’s largest counties are protected by DMARC that is properly configured and set to a DMARC enforcement policy of p=reject or p=quarantine, up from 5% in December 2019. Almost 27% have DMARC records but have set them to an unenforced, p=none policy, which does nothing to stop email impersonating them from being delivered. And the rest, 111 counties — 59.4% of the total — have no DMARC records at all.

pie chart showing DMARC enforcement rates for US counties

SPF usage among these counties is at a higher level than among state domains, perhaps reflecting the fact that these domains are more heavily used for sending email to local citizens. 67.4% of these domains have valid SPF records, and 24.6% have no SPF at all. Having a valid SPF record published in DNS can help improve deliverability of the emails a domain does send, but it does nothing on its own to protect the domain from being spoofed by imposters.

This lack of protection by DMARC is cause for concern, because it means that the vast majority of America’s largest counties can easily be impersonated by spammers or bad actors. Bogus voter registration notifications, impersonated communications from boards of elections, faked announcements of voting results — all are possibilities that could be executed by a careful adversary, leveraging the implicit trust people are likely to place in a message that appears to come from an official domain.

There is also cause for concern among the manufacturers of election equipment used throughout the country. Only one manufacturer, Smartmatic, has a domain that is protected from impersonation with a correctly configured DMARC record at enforcement. The rest can easily be spoofed.

pie chart showing DMARC enforcement rates among election system manufacturers

Takeaways

It is not difficult to imagine a scenario in which attackers impersonate election officials, state governments, campaigns, or even election systems manufacturers, via spoofed domains, in order to spread disinformation, conduct voter misdirection or vote-suppression campaigns, or even to inject malware into government networks.

For this reason, Valimail urges all organizations involved in elections, from state and local boards of elections to manufacturers to campaigns, to configure their domains with DMARC at enforcement. This step is both feasible, effective, and inexpensive.

For instance, the U.S. Department of Homeland Security issued a directive in late 2017 (BOD 18-01), mandating that civilian executive branch agencies use DMARC at enforcement on all of their domains by early 2019. As a result, nearly 80% of the federal government’s domains are now protected from impersonation, according to Valimail’s research.

The American Bar Association recently called on the U.S. federal government to “empower the National Institute of Standards and Technology (NIST) to establish standards for election software, develop a certification process, and review the private sector role in election systems.” Valimail supports this call, and we would add that DMARC enforcement should be a requirement for all domains involved in elections, just as the DHS mandated it for executive branch agencies.

The U.S. Election Assistance Commission offers resources on improving election security, for voters and for election officials, which provides a wealth of useful, actionable information.

Governments and organizations that want to take the first step on their journey to DMARC enforcement can check the status of their domains using Valimail’s free, instant domain checker, at valimail.com. This will tell you exactly how your SPF and DMARC records are configured, and what needs to be fixed, if anything.

As a guide for getting started with DMARC, we also provide a free, 44-page Email Authentication Handbook, a detailed, step-by-step guide to implementing email authentication using SPF, DKIM, and DMARC.

DMARC enforcement is a crucial best practice for stopping the largest attack vector into any organization. The low rates of deployment of this open standard among domains involved in elections is a signal that best practices to protect democracy are missing in many key places. It is time to direct funding toward implementing such best practices, with DMARC at the top of the list, across state and local infrastructure.

As we wrote last year, the playbook on how to achieve that is well known, and funding is available. It’s past time to get it done.

Download the full report
Back to blog
Published October 27, 2020
  • DMARC
  • election security
  • Research
Author: Dylan Tweney
Dylan Tweney is the VP of research and communications for Valimail. He is the founder of Tweney Media, a content-driven communications agency, whose clients have included Samsung, Korn Ferry International, Upwork, YL Ventures, Bloomberg Beta, and Valimail. Formerly, he was the editor-in-chief of VentureBeat and a senior editor at Wired.
Resources
Top retailers remain vulnerable to email brand spoofing
Learn more
Email security with Microsoft and Valimail
Learn more
Election email security
Learn more
Email fraud landscape, Summer 2020
Learn more
Preparing for BIMI: A Marketer’s Guide
Learn more
Latest news
Trump’s refusal to concede the election is creating an opening for cy...
Learn more
2020 General Election Results to Directly Impact Tech Industry
Learn more
Why Email Is Still an Election Day Disinformation Risk
Learn more
US elections are still vulnerable to email spoofing
Learn more
Security Gaps Persist, Report Warns, After U.S. Blames Iran In Election Sch...
Learn more
Press releases
Valimail Triples Customer Base, Becomes Top Global DMARC Provider in 2020
Learn more
Valimail: 2020 election infrastructure still vulnerable to email hackers
Learn more
Valimail Announces Selection by ASG for Anti-Phishing and BEC Protection
Learn more
Valimail DMARC Monitor and Valimail Enforce Now Available in the Microsoft ...
Learn more
Valimail Research Finds More Than 1 Million Domains Using Crucial Email Aut...
Learn more
Follow us
Contact us

P: 888.354.6179
E: info@valimail.com

Headquarters

180 Montgomery Street
20th Floor
San Francisco, CA 94104

Valimail Mountain Office

1550 Larimer Street
Suite 271
Denver, CO 80202

Request a full phishing analysis
© Valimail
  • Terms of use
  • Privacy Policy
  • Website terms of use
  • Do not sell my personal information
  • Phishing Analysis
  • Domain Checker
  • Products
  • Enforce
  • DMARC Monitor
  • Instant SPF
  • Amplify
  • Solutions
  • Anti-phishing
  • Brand protection
  • Compliance
  • Government
  • Marketing
  • Microsoft
  • Shadow IT
  • About
  • News + awards
  • Partners
  • Team
  • Careers
  • Industry leadership
  • Customer support
  • Learn
  • Resources
  • Blog
  • Customers
Subscribe to our newsletter

Get exclusive content on improving email security and deliverability from the experts at Valimail.

  • *
    I understand that I may proactively manage my preferences, or opt-out of Valimail communications at any time using the unsubscribe link provided in Valimail email communication. I confirm that I am over the age of 16. The information that you provide will be used in accordance with the terms of our Privacy Policy.
  • This field is for validation purposes and should be left unchanged.