Content

Controversy over which DMARC setting will best protect the 2020 presidential campaigns

A pair of email security firms are taking opposing positions on whether or not the 2020 presidential candidates are using secure email systems within their campaigns even though many of the candidates are using DMARC.

Valimail and Agari have each issued report cards to show if the Democratic Party hopefuls learned a learned a lesson from the hacking woes that plagued Hillary Clinton in 2016 and have implemented DMARC to protect their campaign email accounts.

And as with everything else in politics the two sides disagree.

Valimail found that eight out of 16 campaign domains are using DMARC and three of those campaigns - for former Vice President Joe Biden, Sen. Elizabeth Warren, D-Mass., and Rep. Tulsi Gabbard, D-Hawaii - have adopted DMARC at the enforcement level.

However, Agari said only one of 11 candidates - Warren - has fully implemented DMARC and has a high level of security. Although Biden, Cory Booker, D-N.J., and former Colorado Governor (D) John Hickenlooper all had a lower level of DMARC instituted.

Armen Najarian, Agari's CMO, said the difference lies in how each firm defines being protected by DMARC. Elizabethwarren.com is the only domain that has reached the DMARC reject security level, as of today," Najarian told SC Media, adding Biden and several of the other candidates have implemented DMARC with a “None” or “Quarantine” policy, which is not considered real protection.

Seth Blank, Valimail's Director of Industry Initiativesand secretary of the IETF group overseeing the DMARC standard, disagreed saying quarantine is just as secure noting.

"The email industry is in agreement that both “quarantine” and “reject” settings are considered real protection. With either quarantine or reject, no suspicious messages make it to a user’s inbox, period. People look at their spam folder very rarely, and when they do, they tend to be suspicious of what’s in there. But to say that quarantine is “not secure” is not correct."

Contending that “little has changed since 2016,” Agari founder Patrick Peterson wrote in a blog post that “campaigns continue to struggle with email security, primarily because very few candidates have dedicated staff or resources to implement the defenses this mission-critical communications channel requires.”

More than “90 percent of all presidential contenders rely on the security controls built into their email platforms—almost exclusively Gmail and Microsoft Office 365,” he said.

Blank countered saying Microsoft Office 365 — makes no distinction between “reject” and “quarantine” policies.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.