Jan 24, 2019 - Technology

News outlets' email security gap

Animated illustration of a letter icon with an alert morphing into a new message badge

Illustration: Aïda Amer/Axios

An Axios study shows that very few news organizations — around 6% of a broad sample — successfully use a critical technology that guarantees emails they send are authentic.

The big picture: We've written before about the Department of Homeland Security's struggle to get federal agencies and the White House to implement DMARC, a security protocol that prevents someone from successfully sending an email using someone else's email address. It's only fair to turn that lens on our own industry.

Why it matters: As the news industry increases its reliance on email alerts and newsletters (represent!), our credibility makes us a target for spammers, scammers and purveyors of disinformation or fraud.

  • Imagine a news alert that appears to come from a business publication claiming a company was going bankrupt.
  • Or consider a newsletter on Election Day claiming a candidate had suddenly changed position on a key issue.

Details: Axios used a tool designed by email security company Valimail to check the DMARC status of 199 different news sites — including overlapping lists of the Alexa top 100 news providers, news outlets serving cities of 100,000 or more, and prominent online news sources.

  • Only 12 use DMARC in a way that would prevent fake email from getting to its target.
  • Of the 98 local news sites, only 1 had fully operational DMARC.
  • The list of sites not protected by DMARC includes influential news sources, from the New York Times and USA Today to Fox and NBC networks to Voice of America and major international outlets.
  • Axios is on that list, too.

We ran the tests twice, first last weekend and again Wednesday night, contacting the outlets named in this story after the first test. No one but Axios responded.

  • Axios's response, via Megan Swiatkowski, associate director of communications: "Axios has recently implemented DMARC and is working to finish configuration and testing to begin enforcement. ... Making sure that readers safely and reliably receive Axios newsletters is a top priority."

Fake news is a major concern: "If you want to spread misinformation and fake news, we know that one tool Russians and others have used is to host a fake website," said Dylan Tweney, VP of communications at Valimail. "It seems like the next logical step would be to send out a fake newsletter. "

  • Ben Nimmo, senior fellow for information defense at the Atlantic Council's Digital Forensic Research Lab, agreed. "We’ve seen a few times propagandists have learned from hackers," he said. "Faking email news would entirely fit the pattern of what we’ve seen."

But disinformation isn't the only issue. Phil Reitinger, president and CEO of the Global Cyber Alliance, a security advocacy group, noted, "Media could be very useful as an infection vector for malware."

The intrigue: There didn't appear to be a relation between whether a site used DMARC and how sensitive its content was. One outlet that implemented DMARC solely provides weather updates, while several of the sites providing investment newsletters did not.

DMARC lets inboxes verify that an email was actually sent by the email server it claims to come from. If the email is fake, the server can direct the inbox to deliver the email straight to the trash, to a spam folder or to the inbox anyway.

  • More than half of the sites we tested had no form of DMARC whatsoever.
  • In our study, we considered any site that didn't correctly configure DMARC to prevent 100% of fake emails from reaching recipients' inboxes as failing our test.
  • Sites that have DMARC but haven't set it to screen emails are often still testing it out, trying to ensure that all legitimate emails are successfully delivered.
Go deeper