Aug 27, 2018

State elections emails are easy for hackers to fake

"Vote Here" sign with American flag on a sidewalk near a polling station

Photo: Stephen Maturen/Getty Image

Very few (only 4%) of state elections offices across the 50 states, Washington D.C. and the three U.S. territories use adequate protection to keep hackers from sending email from those offices' official email addresses, according to a new study by the security company Anomali.

Why it matters: Nothing in the basic email protocol guarantees that a sender's address is authentic. To do that, web sites need to add a handful of additional security protocols. That could lead to voter suppression if a dirty tricks-wielding campaign sends emails from the official account saying that polling places have moved, election days changed, or groups of people are no longer registered to vote.

The Anomali study looked at 6 different security protocols: DANE, DKIM, DMARC, DNSSEC, SPF and STARTTLS.

  • DKIM, DMARC and SPF all have different functions to protect recipients from fake or “spoofed” email addresses.
  • DNSSEC, DANE and STARTTLS work together to ensure the message reaches the right recipient without being altered along the way.

The details: If a website fails to have SPF and DMARC in place and configured to prevent it, a bad guy can fake (or "spoof") an email from the site.

  • Properly set up, SPF identifies if a server has permission to send an email from a domain and DMARC tells an email client to either reject emails that fail SPF or mark them as spam.
  • Only 4% of elections sites had both set up in a way to prevent spoofing.
  • DKIM ensures specific emails were in fact sent by the senders listed. Only 10 percent of states use DKIM.
  • None of the security protocols had even 50% adoption accross the states.
Go deeper