Both the Biden and Trump campaigns lack protection against spoofing, and so do many down-ballot campaigns, according to a new report from Valimail.
The news comes as the FBI reports that Iran and Russia have access to U.S. voter registrations, and that Iran may be behind the emails sent in the name of the Proud Boys, a right-wing extremist group, threatening Democratic voters.
The Valimail study, while it was written prior to that news, states that “at virtually every level of the American election infrastructure, there is massive vulnerability to impersonation.”
For one thing, the domains donaldtrump.com, GOP.com, Joebiden.com and a majority of liberal and conservative PACs are unprotected.
The key form of protection they are lacking is DMARC (Domain-based Message Authentication, Reporting and Conformance), SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail.
Overall, only 15% of campaigns and PACs have DMARC, but 35% lack DMARC enforcement, 40% have no DMARC and 10% possess invalid DMARC.
However, 80% have valid SPF, versus 10% whose SPF is invalid and 10% who simply do not have it.
The high number reflects the fact that “SPF is a widely understood marketing best practice, which, if properly configured, can help improve the deliverability of emails sent from that domain.”
But SPF by itself “provides no protection against impersonation,” the study adds.
The study also shows that only 7% of the biggest U.S. counties have DMARC enforcement, versus 26.7% that have valid DMARC but no enforcement, 7% who have invalid DMARC and 59.4% who have no DMARC.
At the same time, only 12.5% of election manufacturers are protected by DMARC, although 37.5% have valid DMARC and 12.5 invalid. Another 37.5% have no MARC.
Only one of eight elections systems manufacturers certified by the U.S. government is protected.
Among the protected organizations are Democrats.org, five liberal PACs and one conservative PAC.
Seth Blank, vice president of standards and new technologies at Valimail, urges campaigns to use 2020 as “the catalyst to prepare for future elections — prioritize DMARC enforcement for email and multifactor authentication for all systems.”