Illustration: Aïda Amer/Axios

An Axios study shows that very few news organizations — around 6% of a broad sample — successfully use a critical technology that guarantees emails they send are authentic.

The big picture: We've written before about the Department of Homeland Security's struggle to get federal agencies and the White House to implement DMARC, a security protocol that prevents someone from successfully sending an email using someone else's email address. It's only fair to turn that lens on our own industry.

Why it matters: As the news industry increases its reliance on email alerts and newsletters (represent!), our credibility makes us a target for spammers, scammers and purveyors of disinformation or fraud.

  • Imagine a news alert that appears to come from a business publication claiming a company was going bankrupt.
  • Or consider a newsletter on Election Day claiming a candidate had suddenly changed position on a key issue.

Details: Axios used a tool designed by email security company Valimail to check the DMARC status of 199 different news sites — including overlapping lists of the Alexa top 100 news providers, news outlets serving cities of 100,000 or more, and prominent online news sources.

  • Only 12 use DMARC in a way that would prevent fake email from getting to its target.
  • Of the 98 local news sites, only 1 had fully operational DMARC.
  • The list of sites not protected by DMARC includes influential news sources, from the New York Times and USA Today to Fox and NBC networks to Voice of America and major international outlets.
  • Axios is on that list, too.

We ran the tests twice, first last weekend and again Wednesday night, contacting the outlets named in this story after the first test. No one but Axios responded.

  • Axios's response, via Megan Swiatkowski, associate director of communications: "Axios has recently implemented DMARC and is working to finish configuration and testing to begin enforcement. ... Making sure that readers safely and reliably receive Axios newsletters is a top priority."

Fake news is a major concern: "If you want to spread misinformation and fake news, we know that one tool Russians and others have used is to host a fake website," said Dylan Tweney, VP of communications at Valimail. "It seems like the next logical step would be to send out a fake newsletter. "

  • Ben Nimmo, senior fellow for information defense at the Atlantic Council's Digital Forensic Research Lab, agreed. "We’ve seen a few times propagandists have learned from hackers," he said. "Faking email news would entirely fit the pattern of what we’ve seen."

But disinformation isn't the only issue. Phil Reitinger, president and CEO of the Global Cyber Alliance, a security advocacy group, noted, "Media could be very useful as an infection vector for malware."

The intrigue: There didn't appear to be a relation between whether a site used DMARC and how sensitive its content was. One outlet that implemented DMARC solely provides weather updates, while several of the sites providing investment newsletters did not.

DMARC lets inboxes verify that an email was actually sent by the email server it claims to come from. If the email is fake, the server can direct the inbox to deliver the email straight to the trash, to a spam folder or to the inbox anyway.

  • More than half of the sites we tested had no form of DMARC whatsoever.
  • In our study, we considered any site that didn't correctly configure DMARC to prevent 100% of fake emails from reaching recipients' inboxes as failing our test.
  • Sites that have DMARC but haven't set it to screen emails are often still testing it out, trying to ensure that all legitimate emails are successfully delivered.

Go deeper

A big hiring pledge from New York CEOs

Illustration: Rebecca Zisser/Axios

Leaders of more than two dozen of the New York City area's largest employers — including JPMorgan Chase, Ernst & Young, IBM, McKinsey & Company and Accenture — aim to hire 100,000 low-income residents and people of color by 2030 and will help prep them for tech jobs.

Why it matters: As the city's economy has boomed, many New Yorkers have been left behind — particularly during the pandemic. The hiring initiative marks an unusual pact among firms, some of them competitors, to address systemic unemployment.

Updated 28 mins ago - Politics & Policy

Coronavirus dashboard

Illustration: Annelise Capossela/Axios

  1. Global: Total confirmed cases as of 9:30 p.m. ET: 20,004,254 — Total deaths: 733,929 — Total recoveries — 12,209,226Map.
  2. U.S.: Total confirmed cases as of 9:30 p.m. ET: 5,088,516 — Total deaths: 163,400 — Total recoveries: 1,670,755 — Total tests: 62,513,174Map.
  3. Politics: Trump claims he would have not called for Obama to resign over 160,000 virus deathsHouse will not hold votes until Sept. 14 unless stimulus deal is reached.
  4. Business: Richer Americans are more comfortable eating out.
  5. Public health: 5 states set single-day coronavirus case records last week — A dual coronavirus and flu threat is set to deliver a winter from hell.
  6. Sports: The cost of kids losing gym class — College football is on the brink.
  7. World: Europe's CDC recommends new restrictions amid "true resurgence in cases."

AOC to speak at Dem convention

Rep. Alexandria Ocasio-Cortez during an April a press conference in Queens, New York City. Photo: Scott Heins/Getty Images)

Rep. Alexandria Ocasio-Cortez will speak at the Democratic convention next week ahead of Sen. Bernie Sanders' appearance on the Tuesday night, CNN first reported and Axios has confirmed

Why it matters: Her involvement is a strategic decision to energize young progressives without tying former Vice President Joe Biden too closely or directly with her agenda.