How some presidential campaigns use DMARC to protect their domains from being spoofed

DMARC can prevent spammers from using a trusted domain name to send junk mail, a useful tactic for the presidential campaigns and for your organization, according to security provider Valimail.

One way that spammers try to trick people into opening junk mail is by spoofing the From address with the domain name of a trusted company. If you receive an email that shows the sender as Google.com or Microsoft.com, you're more likely to read it, and possibly respond to it, than if it came from abc.com or xyz.com.

Owners of legitimate domains can protect their names from being spoofed in junk mail through Domain-based Message Authentication, Reporting & Conformance (DMARC), a type of authentication that verifies email messages by checking the sender's domain. As this type of spoofing can be used against those running for president in this year's election, here's how the presidential campaigns are using DMARC, and how your organization can as well.

SEE: Phishing and spear phishing: An IT pro's guide (free PDF) (TechRepublic) 

More than half of the current presidential candidates have domains protected from spoofing via DMARC, according to a new blog post from Valimail. Of the 15 candidates still in the race, eight are fully protected by DMARC policies set to enforcement. Four others have set up DMARC, but have kept it in a monitor-only mode, which means that messages can still appear to come from that campaign's domain even though they're not actually authorized. The other three have no DMARC setting at all, according to Valimail, leaving them vulnerable to spoofed emails.

presidential-campaigns-dmarc-valimail.jpg

Valimail

This latest DMARC data shows an improvement from May 2019 where there were 23 candidates, and only three of them were fully protected by DMARC. Without DMARC in place, the presidential campaigns can be susceptible to spoofing in a few ways.

  • Inbound hacking attempts. In this case, hackers who want access to a campaign's digital infrastructure could impersonate a senior member of the campaign or the campaign's IT staff with an email that appears to come from the legitimate domain. By targeting vulnerable members of the campaign, the attackers can trick someone into sharing sensitive information, entering login credentials on a phishing site, or opening attachments with malware.
  • Outbound hacking attempts. Hackers can use the campaign's actual domain name to send messages to someone outside the campaign in an attempt to make their emails seem legitimate and credible. As one example, phishing emails could be sent to donors that then redirect donations to the attacker's own financial accounts.
  • Disinformation and reputation damage. Hackers could try to impersonate the campaign with mass emails sent to a large number of people in the US. Such emails could deliver a negative message, creating confusion or mistrust about the campaign itself.

How DMARC works

For organizations that want to protect their own domain names from email spoofing, DMARC works as follows, according to Valimail.

DMARC ties in with two other email standards: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to give domain holders control over which senders can send email messages as themselves. By using all three standards, domain owners can indicate which email servers and sending services can use their domains in their messages.

More email servers around the world have been supporting DMARC. If the domain has a DMARC record, the mail server checks an incoming message to see if it came from a sender approved by the domain holder. If so, the email is allowed through. If not, and DMARC is fully configured in enforcement mode, the message is either deleted or tagged as spam. If DMARC is not fully configured and is in monitor-only mode, the message could still be seen as legitimate.

Beyond using DMARC, there are other security and anti-spoofing measures that should be taken by election officials and organizations. Citing industry group Mobile, Messaging, and Malware Anti-Abuse Working Group (M3AAWG), Valimail noted other recommendations.

One step is to implement authentication for email domains, which would "mitigate spear phishing and eavesdropping by securing email communications through signing and publishing email authentication records and enabling encryption in transit."

Further, M3AAWG suggests setting up multi-factor authentication across all your systems and accounts to protect against the use of stolen login credentials.

"But DMARC is a critical step," Valimail said. "It's a real sign of progress when more than half of the presidential campaigns have not only published DMARC records, but have configured them with effective enforcement policies."

Also see

Protection of information from hackers.

Image: iStockphoto/Natali_Mis