Nearly all 2020 presidential candidates aren’t using a basic email security feature

Three years after Russian hackers targeted and breached the email accounts of Hillary Clinton’s presidential campaign, nearly all of the upcoming 2020 presidential candidates are still lagging in email security.

New data out by Agari confirms just one presidential hopeful — Democratic candidate Elizabeth Warren — uses domain-based message authentication, reporting, and conformance policy — or DMARC. This email security feature sits on top of two existing security protocols, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), which cryptographically verifies a sender’s email, and can mark emails as spam or reject them altogether if an email can’t be properly validated.

Agari, which has a commercial stake in the email security space, said the remaining 11 candidates it checked — including Bernie Sanders, Joe Biden, and presidential incumbent Donald Trump — do not use DMARC on their campaign domains.

The company warned that the candidates’ risk their campaigns being impersonated in spam campaigns and phishing attacks.

“DMARC is more important than ever because if it had been implemented with the correct policy on the domain used to spearphish John Podesta, then he would have never received the targeted email attack from Russian operatives,” said Agari’s Armen Najarian.

On the bright side, the wider Fortune 500 has seen a slight rise in DMARC adoption since the start of the year. Although most of the companies use DMARC, Agari said only 16 percent of the 500 world’s richest companies reject or quarantine unvalidated email — up from two years ago when just eight percent of the Fortune 500 were using DMARC.

In recent years, the U.S. government has spearheaded an effort to get DMARC rolled out across federal domains following pressure from Congress. Sen. Ron Wyden once called the rollout of DMARC “a no-brainer that increases cybersecurity without sacrificing liberty.”

Following the deadline set by Homeland Security last October, more than 80 percent of the government was using the security feature.