July 25, 2016

Donald J. Trump has repeatedly bashed Sen. Hillary Clinton for handling classified documents on her private email server, suggesting that anyone who is so lax with email security isn’t fit to become president. But a closer look at the Web sites for each candidate shows that in contrast to hillaryclinton.com, donaldjtrump.com has failed to take full advantage of a free and open email security technology designed to stymie email spoofing and phishing attacks.

atballAt issue is a fairly technical proposed standard called DMARC. Short for “domain-based messaging authentication reporting and conformance,” DMARC tries to solve a problem that has plagued email since its inception: It’s surprisingly difficult for email providers and end users alike to tell whether a given email is real – i.e. that it really was sent by the person or organization identified in the “from:” portion of the missive.

DMARC may not yet be widely deployed beyond the major email providers, but that’s about to change. Google announced late last year that it will soon move gmail.com to a policy of rejecting any messages that don’t pass the authentication checks spelled out in the DMARC specification. And others are already moving in the same direction.

Probably the easiest way to understand DMARC is to walk through a single site’s records. According to the DMARC compliance lookup tool at dmarcian.com — a DMARC awareness, training and support site — hillaryclinton.com has fully implemented DMARC. This means that the campaign has posted a public policy that enables email providers like Google, Microsoft and Yahoo to quickly determine whether a message claiming to have been sent from hillaryclinton.com was actually sent from that domain.

Specifically, (and this is where things can quickly descend into a Geek Factor 5 realm of nerdiness) DMARC sits on top of two existing technologies that try to make email easy to identify: Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM).

SPF is basically a list of Internet addresses and domains which are authorized to send email on behalf of hillaryclinton.com (in case anyone’s interested, here’s a copy of the SPF record for hillaryclinton.com). DKIM allows email receivers to verify that a piece of email originated from an Internet domain through the use of public key cryptography. Deploying both technologies gives email receivers two ways to figure out if a piece of email is legitimate.

The DMARC record for Clinton’s site includes the text string “p=quarantine.” The “p” bit stands for policy, and “quarantine” means the Web site’s administrators have instructed email providers to quarantine all messages sent from addresses or domains not on that list and not signed with DKIM – effectively consigning them to the intended recipient’s “spam” or “junk” folder. Another blocking option available is “p=reject,” which tells email providers to outright drop or reject any mail sent from domains or addresses not specified in the organization’s SPF records and lacking any appropriate DKIM signatures.

Turning Dmarcian.com’s tool against donaldjtrump.com, we can see that although the site is thinking about turning on DMARC, it hasn’t actually done so yet. The site’s DMARC records are set to the third option — “p=none” — which means the site administrators haven’t yet asked email providers to block or quarantine any messages that fail to match the site’s SPF records. Rather, the site merely asks email providers to report to “postmaster@donaldjtrump.com” about the source of any email messages claiming to have been sent by that domain.

Dmarcian founder Tim Draegen said this “p=none” setting of DMARC is a data collection feature designed to give organizations a better idea of their total email footprint before setting strict DMARC “reject” or “quarantine” rules.

Why on earth would any organization not know where its email was coming from? As this video at Dmarcian notes, one reason is that anti-spam and anti-malware filters at major email providers have essentially spawned an entire email deliverability industry that exists solely to help organizations keep their emails flowing into inboxes worldwide. As a result, many companies rely on an array of third-party providers to send messages on their behalf, yet those business relationships may not be immediately evident to the geeks in charge of setting up DMARC rules for the organization.

“DMARC was designed so that it says, ‘All you email providers….give me feedback on how you’re seeing email from us being received,'” Draegen said. “Based on that feedback, the organization can then can go back and identify and specify their legitimate sources of email, and then tell the email providers, ‘Hey, if you get a piece of email not covered by these sources, reject or quarantine it.”

As for why more organizations haven’t deployed DMARC already, Draegen said larger entities often have multiple divisions (think marketing and sales teams) that may develop their own methods of getting their email messages out. Trouble is, those divisions don’t always do a great job at informing the tech folks of what they’re up to.

The “p=none” option thus gives organizations an easy and free way to tell email providers to report any and all mail claiming to be sent by the domain in question. Armed with that information, the organization can then set strict, global policies about which emails to reject or quarantine going forward.

“It really depends on the size of the infrastructure or complexity of the company,” Draegen said. “The tech part of DMARC is pretty easy, but what we tend to see in large companies is that there’s a domain that has traditionally been shared by everyone at the organization, and it often involves a lot of hard work to find all the legitimate sources of email for the organization.”

Alexander Garcia-Tobar, CEO and co-founder of email security firm Valimail, agreed.

“The answer is that it’s extremely tricky to get right,” he said, of identifying all of a company’s legitimate email sending activity. “Most organizations are lot more concerned about blocking good stuff going out, until they get phished.”

So how long does it take for organizations to gather enough information with DMARC’s “p=none” option in order to build an effective (yet not overly restrictive) “quarantine” or “reject” policy? For larger organizations, this can often amount to a long, laborious process, Draegen said. For smaller outfits — such as presidential campaigns — it shouldn’t take long to gather enough data with DMARC’s “p=none” option to fashion targeted rules that block phishing and spoofing attacks without endangering legitimate outgoing emails.

I asked Draegen whether he thought the Trump Campaign was somehow derelict in not fully adopting DMARC, given the candidate’s statements about how anyone who’s lax with email security doesn’t deserve to be the next Commander-in-Chief of the United States. Draegen admitted he “can’t stomach” Trump, and that he found Clinton’s email scandal likewise nauseating given a lifetime of experience as an email administrator and the challenges involved in protecting a private email server from determined cyber adversaries.

But Draegen said DMARC compliance is one of the easiest and cheapest ways that any organization can use to better protect itself and its customers from email-based phishing and malware attacks.

“If you’re going to invest in click-tracking technologies or enterprise security products of any flavor and you haven’t yet done DMARC, you’re wasting your time,” Draegen said, noting that enabling DMARC can often help organizations increase delivery rates by as much as five or ten percent. And for campaigns that aren’t adopting DMARC, that may mean lots of email appeals to voters (and, more importantly, potential donors) go undelivered.

“Get the easy, free tech stuff done first because you’re going to get a lot of bang for your buck by deploying DMARC,” he said. “And if you’re a presidential candidate, someone at your campaign should recognize that the first thing you do is enable DMARC.”

Incidentally, given the breaking news today about Russian hackers reportedly hacking into networks at the Democratic National Committee (DNC) — allegedly to make Mr. Trump a more sympathetic candidate — it’s worth noting that while hillaryclinton.com takes full advantage of DMARC, the same cannot be said of the Web sites for the DNC (dnc.org/democrats.org) or the Republican National Committee (gop.com/rnc.org).

Further reading: dmarc.org.

86 thoughts on “Trump, DNC, RNC Flunk Email Security Test

  1. Bavkar Vaibhav

    Thanks for sharing a good piece of information. It is very informative blog.To Mention I am working in Information security firm ANA Cyber Forensic Pvt. Ltd. (anacyber.com). We will surely consider your recommendations in article. This blog will be very help full.
    Thank you.

  2. Donald Trump

    Brian, your second paragraph incorrectly begins with the word “At”, instead of (presumably) “That”. Who’s looking silly now?

    1. BrianKrebs Post author

      I guess you don’t do much reading, especially in newspapers. “At issue” is a common term used to describe the thing up for debate, that’s undecided.

      Let me google that for you: http://bfy.tw/79L2

  3. KevC

    With respect Brian, isn’t DMARC is just one of the newer tools in the cat and mouse game against SPAM. It doesn’t guarantee that an email came from the real ceo@bigcompany.com, just that it came from a legit bigcompany.com server.

    SMTP is not a reliable nor secure transport for sensitive data. Ever. You could pour 1 billion dollars into the perfect email system only to be thwarted by a recipient who plain-text pops their MTA. Bigcompany.com legit server could be sending SPAM in spades all because a user with a jailbroken iPhone (to install early release of Pokemon Go) has malware and their email credentials are floating around the dark web.

    Another thing I thought was that you’re testing the public facing website domains only. For presidential candidats, I’d expect their security team to at least have suggested using a domain that’s less known out of official circles for sensitive email. That said though, you’re probably right, just don’t take it for granted.

    If you want to authenticate a sender and it’s content, they should either sign or encrypt it within the SMTP wrapper. We’re going to have to use this method until an acceptable Secure SMTP protocol RFC is submit.


Comments are closed.