Report: Most 2020 Candidates Aren't Using Anti-Spoofing Email Protections


By failing to take advantage of DMARC protections, candidates could expose themselves to the types of phishing attacks that hit the Democratic National Committee in 2016.

The vast majority of the 2020 presidential candidates aren’t taking advantage of a basic email security tool that could help prevent phishing attacks, industry researchers found.

Only three of the 24 declared candidates in the 2020 presidential race are fully enforcing Domain-based Message Authentication, Reporting and Conformance, or DMARC, a security protocol that protects against email spoofing, according to a blog post published Friday by the security firm Valimail.

By failing to use the tool, candidates could leave themselves vulnerable to the types of phishing attacks that exposed thousands of the Democratic National Committee’s internal emails during the 2016 election.

DMARC works by automatically pinging an email sender’s domain—, for example—to ask if specific email addresses are legitimate. If the domain flags the email address as suspect, the tool would divert the email to the recipient’s spam folder or delete the message altogether.

In other words, DMARC could help prevent campaign staffers from opening phishing emails from phony accounts and keep online adversaries from disguising themselves as presidential campaigns to send malicious emails.

Only three candidates—Sen. Elizabeth Warren, D-Mass., Rep. Tulsi Gabbard, D-Hawaii, and former Vice President Joe Biden—have the tool up and running for their campaigns’ online domains, according to the report. The rest of the candidates, including President Donald Trump, either aren’t using DMARC at all or haven’t set any anti-spoofing protocols, meaning suspicious emails would be allowed to go through to recipients inboxes undetected or uninterrupted.

And the consequences of such unchecked messages can be significant.

The Russian hackers who in 2016 exposed tens of thousands of emails from the DNC and Hillary Clinton’s presidential campaign used spoofing techniques that DMARC aims to prevent, according to Dylan Tweney, who leads Valimail’s research program. And 2020 candidates could be at risk of similar attacks if they don’t use these protections, he said.

Beyond compromising campaign’s internal accounts and networks, adversaries could also use email spoofing to spread disinformation to the general public under the guise of an official campaign email address, Tweney told Nextgov.

“Political actors are using this kind of spoofing to spread disinformation campaigns, discrediting campaigns, public officials and even the media itself,” he said. “Without [DMARC] in place, it's far too easy to impersonate a domain, and end users don't have a chance of identifying these fakes.”