Presidential Candidates’ Use of DMARC Improves, but Remains Short of Optimum
Presidential candidates’ protection of their domains is improving, but could improve further. More specifically, of the 15 current candidates, eight now protect their domains from email spoofing with enforced DMARC. In May 2019, when there were still 23 candidates, only three were protected by DMARC.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) works with two other email standards (SPF, or Sender Policy Framework, and DKIM, or Domain Keys Identified Mail) to give domain owners control over which senders are allowed to send messages ‘as’ them. The effect is to specify which email servers can name the protected domain in the From field of their messages, thus preventing email spoofing.
Today, three domains have no DMARC (Bennet, Walsh and Wend), while four more have unenforced DMARC (Delaney, Patrick, Sanders and Trump). Although running DMARC in ‘unenforced’ mode is often an indication that DMARC is in process of implementation, for so long as it is unenforced, there is no protection. The authors of the survey, Valimail, note further that while Bloomberg has DMARC configured with an enforcement policy, a problem with the underlying SPF record (it exceeds the limit of 10 DNS lookups specified in the SPF standard) could cause problems with security, visibility and enforcement.
Almost all email servers now support DMARC. They check to see if the apparent source domain has DMARC configured, and if so, whether the sender is approved. If approved, the email is allowed. If not, the email server obeys one of the three DMARC policies: reject (ie, delete it), quarantine (send it to a spam or junk folder), or none (deliver it as normal).
Valimail highlights three potential email attacks on or spoofed from the candidates’ domains. Inbound hacking attempts could impersonate a senior member of the campaign to leverage trust in that person as part of a phishing attack. Outbound phishing attacks could be launched while spoofing the campaign domain to gain additional credibility. Such emails could be targeted against both large and small donors with the intention of redirecting donations to the hackers’ bank accounts.
The third attack could be politically motivated. “Rather than hacking attempts,” warns Valimail, “bad actors might try to impersonate the campaign with mass emails sent to U.S. citizens at large, delivering a message that the campaign would never assent to — thereby sowing confusion about the campaign’s true positions, or generating distrust in its platform altogether.”
Valimail believes that the improvements in the presidential candidates’ use of DMARC over the last nine months is promising; but that “election officials as well as the vendors of hardware and software used in elections are all still far too easy to impersonate. In short, email remains a weak link in election security. The first step in closing that gap is to implement DMARC authentication, just as the campaigns have done.”
Nevertheless, it concludes, “It’s a real sign of progress when more than half of the presidential campaigns have not only published DMARC records, but have configured them with effective enforcement policies.”