Donald J. Trump has repeatedly bashed Sen. Hillary Clinton for handling classified documents on her private email server, suggesting that anyone who is so lax with email security isn’t fit to become president. But a closer look at the Web sites for each candidate shows that in contrast to hillaryclinton.com, donaldjtrump.com has failed to take full advantage of a free and open email security technology designed to stymie email spoofing and phishing attacks.
At issue is a fairly technical proposed standard called DMARC. Short for “domain-based messaging authentication reporting and conformance,” DMARC tries to solve a problem that has plagued email since its inception: It’s surprisingly difficult for email providers and end users alike to tell whether a given email is real – i.e. that it really was sent by the person or organization identified in the “from:” portion of the missive.
DMARC may not yet be widely deployed beyond the major email providers, but that’s about to change. Google announced late last year that it will soon move gmail.com to a policy of rejecting any messages that don’t pass the authentication checks spelled out in the DMARC specification. And others are already moving in the same direction.
Probably the easiest way to understand DMARC is to walk through a single site’s records. According to the DMARC compliance lookup tool at dmarcian.com — a DMARC awareness, training and support site — hillaryclinton.com has fully implemented DMARC. This means that the campaign has posted a public policy that enables email providers like Google, Microsoft and Yahoo to quickly determine whether a message claiming to have been sent from hillaryclinton.com was actually sent from that domain.
Specifically, (and this is where things can quickly descend into a Geek Factor 5 realm of nerdiness) DMARC sits on top of two existing technologies that try to make email easy to identify: Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM).
SPF is basically a list of Internet addresses and domains which are authorized to send email on behalf of hillaryclinton.com (in case anyone’s interested, here’s a copy of the SPF record for hillaryclinton.com). DKIM allows email receivers to verify that a piece of email originated from an Internet domain through the use of public key cryptography. Deploying both technologies gives email receivers two ways to figure out if a piece of email is legitimate.
The DMARC record for Clinton’s site includes the text string “p=quarantine.” The “p” bit stands for policy, and “quarantine” means the Web site’s administrators have instructed email providers to quarantine all messages sent from addresses or domains not on that list and not signed with DKIM – effectively consigning them to the intended recipient’s “spam” or “junk” folder. Another blocking option available is “p=reject,” which tells email providers to outright drop or reject any mail sent from domains or addresses not specified in the organization’s SPF records and lacking any appropriate DKIM signatures.
Turning Dmarcian.com’s tool against donaldjtrump.com, we can see that although the site is thinking about turning on DMARC, it hasn’t actually done so yet. The site’s DMARC records are set to the third option — “p=none” — which means the site administrators haven’t yet asked email providers to block or quarantine any messages that fail to match the site’s SPF records. Rather, the site merely asks email providers to report to “email@example.com” about the source of any email messages claiming to have been sent by that domain. Continue reading →