A pair of email security firms are taking opposing positions on whether or not the 2020 presidential candidates are using secure email systems within their campaigns even though many of the candidates are using DMARC.
Valimail and Agari have each issued report cards to show if the Democratic Party hopefuls learned a learned a lesson from the hacking woes that plagued Hillary Clinton in 2016 and have implemented DMARC to protect their campaign email accounts.
And as with everything else in politics the two sides disagree.
Valimail found that eight out of 16 campaign domains are using DMARC and three of those campaigns - for former Vice President Joe Biden, Sen. Elizabeth Warren, D-Mass., and Rep. Tulsi Gabbard, D-Hawaii - have adopted DMARC at the enforcement level.
However, Agari said only one of 11 candidates - Warren - has fully implemented DMARC and has a high level of security. Although Biden, Cory Booker, D-N.J., and former Colorado Governor (D) John Hickenlooper all had a lower level of DMARC instituted.
Armen Najarian, Agari's CMO, said the difference lies in how each firm defines being protected by DMARC. Elizabethwarren.com is the only domain that has reached the DMARC reject security level, as of today," Najarian told SC Media, adding Biden and several of the other candidates have implemented DMARC with a “None” or “Quarantine” policy, which is not considered real protection.
Seth Blank, Valimail's Director of Industry Initiativesand secretary of the IETF group overseeing the DMARC standard, disagreed saying quarantine is just as secure noting.
"The email industry is in agreement that both “quarantine” and “reject” settings are considered real protection. With either quarantine or reject, no suspicious messages make it to a user’s inbox, period. People look at their spam folder very rarely, and when they do, they tend to be suspicious of what’s in there. But to say that quarantine is “not secure” is not correct."
Contending that “little has changed since 2016,” Agari founder Patrick Peterson wrote in a blog post that “campaigns continue to struggle with email security, primarily because very few candidates have dedicated staff or resources to implement the defenses this mission-critical communications channel requires.”
More than “90 percent of all presidential contenders rely on the security controls built into their email platforms—almost exclusively Gmail and Microsoft Office 365,” he said.
Blank countered saying Microsoft Office 365 — makes no distinction between “reject” and “quarantine” policies.