Election Insecurity: Campaigns Fail To Protect Themselves Against Spoofing

Even while the impeachment trial and Iowa caucus debacle play out, here is another threat to our electoral process: the failure of campaigns to protect themselves from spoofing.

Three campaigns are badly unprepared — those of Trump, Sanders and Patrick. And several are at least partly vulnerable, according to Email and Website Security for the 2020 Presidential Candidates, a study released on Tuesday by FireOak Strategies. 

On the positive side, all of the candidates studied are using Sender Policy Framework (SPF) and SPF records for email campaigns.

Similarly, all emails received during this study had a valid DKIM signature, although the authors were unable to rate the Trump campaign because they received no emails from it during this phase. 

Things get trickier when it comes to DMARC (Domain Message Authentication Reporting and Conformance), now considered the standard security protocol.

It’s not enough to simply deploy DMARC — you have to have validation and reject policies in place.



The winners here are Biden, Bloomberg, Gabbard, Klobuchar, Steyer, and Warren. Each has a domain that rejects all messages that fail validation. And they receive failure notification reports.

In contrast, Bennet, Walsh, and Weld lack a DMARC policy. Delaney, Patrick, Sanders, and Trump have a DMARC policy set to none:

"Considering how big of a role email security played in the last election, we were shocked to find that several of the candidates are still not following industry best practices to secure their email,” write the report authors: Eric Smith, chief technologist and chief information security officer, and Abby Clobridge, founder of FireOak Strategies.

When it comes to website security, only six candidates have disabled the outdated TLS version 1.0 protocol: Biden, Bloomberg, Delaney, Steyer, Walsh, and Yang.

Scoring in the study was based on DMARC, with a top number of 3 assigned for campaigns with a “reject” policy, and three points each for the other categories if no weaknesses were found.

The authors note that “all of the items we examined are standard features of most email and website hosting services ... there's no excuse for not having these protections in place."

Who’s got it nailed down? Joe Biden and the two Democratic billionaires: Michael Bloomberg and Tom Steyer. Each scores a 9, meaning they have achieved top scores — a 3 each — for their DMARC, TLS !.0 and 1.1 Disabled WeakCipher Suite with TLS 1.0. implementation.

In contrast, Trump and Bernie Sanders each score a 1, with each lacking the two web protections. 

Here’s how they rank.

  • Biden — 9
  • Bloomberg — 9
  • Steyer — 9
  • Yang — 8 
  • Delaney — 7 
  • Klobuchar — 6
  • Walsh — 6
  • Bennet — 3
  • Gabbard — 3
  • Warren — 3
  • Weld — 3
  • Buttigieg — 2 
  • Patrick — 1
  • Sanders — 1
  • Trump — 1 

Don’t let it affect your vote.


Next story loading loading..