Valimail: 2020 election infrastructure still vulnerable to email hackers

Report: Only 3% of state, 7% of top county domains protected

SAN FRANCISCO, October 22, 2020 — Valimail, the global leader in zero-trust, identity-based anti-phishing solutions, has released its latest report, “2020 Election Infrastructure Remains Vulnerable to Email Hacking.” With less than two weeks until Election Day, the report presents new data that illustrates the threat of impersonation-based email phishing attacks that utilize domains involved in the U.S. election.

The report highlights a lack of adherence to email authentication standards for email domains associated with the U.S. presidential campaigns, political action committees (PACs), U.S. state and county governments, as well as election system manufacturers. Valimail found most domains were unprotected from email spoofing, meaning they could easily be impersonated by attackers pretending to play some role in the election infrastructure.

“You often hear of email phishing within the corporate world — when business email compromise or related attacks result in loss of funds or proprietary data — but the threat within the U.S. election infrastructure is unique,” said Alexander García-Tobar, CEO and co-founder of Valimail. “Malicious agents could use the essential and pervasive nature of email to spread uncertainty, confusion, misinformation or doubt, which could, in turn, interfere with a free and fair election.”

The report makes a strong case for a widely used industry standard called Domain-based Message Authentication, Reporting, and Conformance, also known as DMARC. DMARC enforcement is considered the industry best practice for email authentication to prevent attacks in which malicious third parties try to send harmful emails using a counterfeit address. Valimail’s latest research is also timely given email phishing attacks are at their highest level in three years.

Valimail is calling on federal and state officials to prioritize DMARC for all domains involved in elections, as the federal government has already done for federal agency domains. Valimail manages DMARC for more organizations than any other vendor worldwide and has the highest rate and greatest speed of getting customers from monitoring mode to DMARC enforcement.

Key takeaways from Valimail’s latest election security report include:

  • Only 15% of campaigns and PACs are protected from spoofing with DMARC enforcement.
  • Just 7% of the largest counties’ domains are protected.
  • Only 3.3% of U.S. state domains are protected.
  • Only one of the eight election systems manufacturers certified by the U.S. government is protected from email spoofing.
  • Protected by DMARC enforcement:, five liberal PACs and one conservative PAC.
  • Unprotected:,,, and the majority of liberal and conservative PACs.

“Our message to all domains involved in elections is to check your email authentication and determine your level of protection and vulnerability,” said Seth Blank, vice president of standards and new technologies at Valimail. “Use 2020 as the catalyst to prepare for future elections — prioritize DMARC enforcement for email and multifactor authentication for all systems.”

The research in this report stems from an analysis Valimail performed on hundreds of domain name system (DNS) entries related to state and local governments, campaigns, PACs and election system manufacturers. Valimail looked for DMARC and sender policy framework (SPF) records, analyzing the configuration and DMARC policy on each one.

To download the full report, please visit Governments, groups and organizations that want to take the first step of their DMARC enforcement journey can also check the status of their domains using Valimail’s free, instant domain checker at