Only a handful of 2020 US presidential candidates are using a basic email security feature

Just one-third of the 2020 U.S. presidential candidates are using an email security feature that could prevent a similar attack that hobbled the Democrats’ during the 2016 election.

Out of the 21 presidential candidates in the race according to Reuters, seven Democrats and one Republican candidate are using and enforcing DMARC, an email security protocol that verifies the authenticity of a sender’s email and rejects spoofed emails, which hackers often use to try to trick victims into opening malicious links from seemingly known individuals.

It’s a marked increase from April, where only Elizabeth Warren’s campaign had employed the technology. Now, the Democratic campaigns of Joe Biden, Kamala Harris, Michael Bloomberg, Amy Klobuchar, Cory Booker, Tulsi Gabbard, and Republican candidate Steve Bullock have all improved their email security.

The remaining candidates, including presidential incumbent Donald Trump, are not rejecting spoofed emails. Another seven candidates are not using DMARC at all.

That, experts say, puts their campaigns at risk from foreign influence campaigns and cyberattacks.

“When a campaign doesn’t have the basics in place, they are leaving their front door unlocked,” said Armen Najarian, chief identity officer at Agari, an email security company. “Campaigns have to have both email authentication set at an enforcement policy of reject and advanced email security in place to be protected against socially-engineered covert attacks,” he said.

DMARC, which is free and fairly easy to implement, can prevent attackers from impersonating a candidate’s campaign but also prevent the same kind of targeted phishing attacks against the candidate’s network that resulted in the breach and theft of thousands of emails from the Democrats.

In the run-up to the 2016 presidential election, Russian hackers sent an email to Hillary Clinton campaign manager John Podesta, posing as a Google security warning. The phishing email, which was published by WikiLeaks along the rest of the email cache, tricked Podesta into clicking a link that took over his account, allowing hackers to steal tens of thousands of private emails.

A properly enforced DMARC policy would have rejected the phishing email from Podesta’s inbox altogether, though DMARC does not protect against every kind of highly sophisticated cyberattack. The breach was bruising for the Democrats, one that led to high-profile resignations and harmed public perceptions of the Clinton presidential campaign — one she ultimately lost.

“It’s perplexing that the campaigns are not aggressively jumping on this issue,” said Najarian.

Startups face the same phishing risks as big corporations

This week, we reported on TechCrunch how thousands of remote employees with health and workplace benefits through human resources giant TriNet received emails that looked like a near-perfect phishing attempt.

One recipient was so skeptical, they shared the email with TechCrunch so we could verify its authenticity. The message checked every suspicious box. In fact, when, we asked two independent security researchers to offer their assessments, each one thought it was a phishing email devised to steal usernames and passwords.

The fact that there was confusion to begin with shows that even gigantic companies like TriNet — a $3.7 billion corporation — are not doing enough to prevent phishing attacks. Had they proactively employed basic email security techniques, it would have been a lot easier to detect that the email was not in fact a phish, but a genuine company email.

But this problem isn’t unique to TriNet; it’s not even unique to big companies.

Last year, security firm Agari found only 14% of all Fortune 500 companies were using DMARC, a domain security feature that prevents email spoofing and actively enforces it. New data supplied by Agari to TechCrunch shows that figure has risen only one percentage point in the last year, bringing it to a meager 15%.

Phishing and impersonation are fundamentally human problems. The aim is to try to trick unsuspecting victims into turning over their usernames, email addresses and passwords to hackers who then log in and steal data or money. In some cases, scammers use an email impersonation scam to trick employees into thinking someone senior in the company needs certain sensitive files like banking information or employee tax documents.

Nearly all 2020 presidential candidates aren’t using a basic email security feature

Three years after Russian hackers targeted and breached the email accounts of Hillary Clinton’s presidential campaign, nearly all of the upcoming 2020 presidential candidates are still lagging in email security.

New data out by Agari confirms just one presidential hopeful — Democratic candidate Elizabeth Warren — uses domain-based message authentication, reporting, and conformance policy — or DMARC . This email security feature sits on top of two existing security protocols, Sender Policy Framework (SKF) and DomainKeys Identified Mail (DKIM), which cryptographically verifies a sender’s email, and can mark emails as spam or reject them altogether if an email can’t be properly validates.

Agari, which has a commercial stake in the email security space, said the remaining 11 candidates it checked — including Bernie Sanders, Joe Biden, and presidential incumbent Donald Trump — do not use DMARC on their campaign domains.

The company warned that the candidates’ risk their campaigns being impersonated in spam campaigns and phishing attacks.

“DMARC is more important than ever because if it had been implemented with the correct policy on the domain used to spearphish John Podesta, then he would have never received the targeted email attack from Russian operatives,” said Agari’s Armen Najarian.

On the bright side, the wider Fortune 500 has seen a slight rise in DMARC adoption since the start of the year. Although most of the companies use DMARC, Agari said only 16 percent of the 500 world’s richest companies reject or quarantine unvalidated email — up from two years ago when just eight percent of the Fortune 500 were using DMARC.

In recent years, the U.S. government has spearheaded an effort to get DMARC rolled out across federal domains following pressure from Congress. Sen. Ron Wyden once called the rollout of DMARC “a no-brainer that increases cybersecurity without sacrificing liberty.”

Following the deadline set by Homeland Security last October, more than 80 percent of the government was using the security feature.

Only half of the Fortune 500 use DMARC for email security

When Homeland Security told all federal government departments last year to roll out a new email security policy to cut down on incoming spam and phishing emails, three-quarters of all federal domains were compliant by the time of their deadline just a few weeks ago.

That’s far more than what the Fortune 500 accomplished in the same period.

New data from Agari shows that just half of the Fortune 500 have deployed DMARC — or domain-based message authentication, reporting, and conformance policy. Email systems use DMARC policies to verify the identity of an email sender, ensuring that it’s not impersonating another domain. Depending on the DMARC settings, an email system can either monitor, quarantine or entirely reject spoofed emails, helping to cut down on the number of phishing emails that land in your corporate inbox.

The data shows 51 percent of the Fortune 500 — the world’s wealthiest companies — are now using DMARC. That’s an improvement from about one-third a year ago, but it still trails behind the federal government’s DMARC adoption.

But only 13 percent of those companies are employing a quarantine or reject policy — which actively intercepts spoofed emails and marks them as spam or bounces them from a user’s inbox altogether.

According to Agari’s breakdown: Aetna, American Express, Bank of America, Capital One, Facebook, Fedex, Microsoft, Netflix, PayPal, UPS and Wells Fargo ranked among the companies with the strongest DMARC policy.

Boeing, CBS, Discovery, Exxon Mobil, Frontier, JetBlue, NetApp, Time Warner Cable (Spectrum), Prudential, Viacom and Xerox are some of the worst contenders with no record whatsoever.

Agari, which has a commercial stake in the email security business, said that having a well-configured DMARC policy “cannot be overstated.”

Scammers often use spoofed emails to try to trick companies into sending back sensitive taxpayer information or other corporate secrets. Known as the “W-2 phishing scam,” legitimate-looking emails try to obtain W-2 tax forms of employees so that the scammers can file fraudulent forms during tax season in order to obtain hefty refunds. The FBI says these scams cost businesses $12 billion a year.

But DMARC is meant to weed out the bulk of those spoofed emails. According to Agari, one of its customers — a global e-commerce firm — was getting millions of impersonated emails per day, spoofing the company’s “from” domain to make it look like the real deal. After the company implemented its new DMARC policy to reject spoofed emails, the number went down by 99 percent.

“The damage from these attacks has ballooned into billions of dollars annually—however the real cost is the erosion of trust in digital business,” said Agari’s Armen Najarian.

CIA, NSA and the Pentagon still aren’t using a basic email security feature

Some of the most sensitive U.S. government departments and agencies still aren’t using a basic email security feature that would significantly cut down on incoming spam or phishing emails.

Fifteen percent of all U.S. government domains still aren’t employing DMARC, or domain-based message authentication, reporting, and conformance policy on their domains, which email systems use to verify the identity that the sender of an email is not an impersonator.

New data from security firm Agari shows that out of over a thousand federal domains, 75 percent have a DMARC policy that either monitors, quarantines to your spam folder or entirely rejects all spoofed emails.

But the CIA, the NSA, and the Department of Defense are among the outliers still haven’t rolled out DMARC across their web domains.

That’s despite Tuesday’s deadline for BOD 18-01, a directive issued by Homeland Security that ordered the rollout of DMARC a year ago, following complaints by a leading Democratic senator.

BOD 18-01 aimed to improve email and cybersecurity across the federal government by introducing email encryption (STARTTLS) and doubling down on use of HTTPS certificates across the government. By cranking up the DMARC settings to its safest by outright rejecting unverified email, government departments would comply with the directive by bouncing any unauthenticated email from user inboxes.

That may not sound too important, but it means that now that a sizable portion of the federal government — and intelligence agencies — aren’t protected against an easy class of impersonated emails.

According to Agari’s breakdown:

  • CIA has 9 out of 10 domains without a DMARC record;
  • Neither of the NSA’s two domains have DMARC records;
  • The White House’s Executive Office of the President has half of its domains lacking a DMARC record’
  • The Director of National Intelligence, which co-ordinates the entire U.S. intelligence apparatus, also has all 17 domains without a DMARC record;
  • Defense Dept. has 32 out of 35 domains without a DMARC record;
  • And even Homeland Security, which instituted the policy, has 3 out of 33 domains without a DMARC record.

And those are the worst contenders. Only a handful of departments are fully compliant.

Proofpoint, which issued similar research Monday with approximately the same data — said that it estimates about 60 percent of the federal government are fully compliant with the directive.

The government isn’t the only outlier. Only one-third of the Fortune 500 are said to use DMARC on their domains.

Valimail raises $25M in additional funding for its email authentication service

Valimail helps businesses ensure that nobody can impersonate them over email. That’s not a sexy business to be in, but very much a necessary one. The company’s email authentication service, which uses standards like SPF, DKIM and DMARC, is currently in use by the likes of Yelp, Uber, Fanni Mae and WeWork. Today, the company announced that it has raised a $25 million Series B round led by Tenaya Capital, with participation from Shasta Ventures, Flybridge Capital Partners and Bloomberg Beta.

This round bring Valimail’s total amount of funding to $38.5 million, including the company’s $12 million Series A round in 2016.

“Authentication is at the root of trusted communications,” Valimail CEO and co-founder Alexander Garcia-Tobar told me. “You must be able to trust the authenticity of who/what is on the other side, or the communication is meaningless. For example, no retailer would never accept a credit card without swiping it first (either physically or virtually). What happens in the credit card world needs to happen for communications.”

The funding round is coming at an important time for email authentication. The DMARC standard is now supported by over 5 billion inboxes, according to Valimail. Over the course oft he last six month, domain owners have also published more DMARC records than in the five previous years combined. In addition, all federal agencies must implement this standard, too.

Valimail promises to take care of all the hassles of setting up support for these authentication standards.

“After attempting email authentication with other solutions, I was amazed at the level of automation Valimail provides,” said JJ Agha, VP of information security at WeWork. “It eliminates the need for two FTEs, so my staff can focus on other key priorities. I consider it a ‘set it and forget it’ solution for ensuring that our employees and executives can’t be impersonated and that our email is trusted.”