Dear President-Elect Trump:
As you take office on January 20, we are writing with a modest proposal: Make email great again.
In particular, we ask you to take steps to restore the public’s trust in government email.
Right now, it’s far too easy for devious people, whether they are agents of a foreign power or just a 400-pound hacker sitting on a bed somewhere, to impersonate Federal agencies. It’s as simple as putting “NSA.gov” in the From: line of his email message, and Joe Cyber can make it look like he is actually the new director of the NSA sending you an email message.
That’s because too many agencies are not taking advantage of open email authentication standards. Email authentication means that whenever you receive an email, you can trust that it comes from where it appears to come from. It’s like a certified, validated return address.
But as the commander in chief of the United States, you will want citizens to trust their government, not be suspicious of every email that it appears to send them.
Besides, we know cybersecurity is important to you and to the office of President.
- Your campaign promised an “immediate review of all U.S. cyber defenses and vulnerabilities.”
- In your press conference earlier this month, you promised “a major report on hacking defense” within the first 90 days of your administration.
- Your predecessor helpfully set up a 12-person cybersecurity commission that produced a 100-page report filled with recommendations your administration should seriously consider.
- As a candidate, you are on the record as having said that America needs to “get very, very tough on cyber and cyber warfare.”
- And of course, you attacked your opponent for using an unsecured mail server to send classified email communications. (Even though your own organization uses domains without email authentication, opening you and your employees up to the possibility of being impersonated in emails sent by hackers.)
The good news is that you can have a big impact, immediately. Frankly, email authentication among Federal agencies is a mess.
Here are some of the Federal domains that don’t have email authentication, or which have set something up but have serious problems:
Here are a few that have some basic authentication (via a standard called SPF), but lack the most modern, most effective form (called DMARC):
In fact, of the 10 Federal domains we checked today, only one — SSA.gov — has complete email authentication in place and working properly.
Here’s an easy win: Include email authentication in that hacking defense report you promised.
Then ask your cyber people to implement email authentication (including DMARC) for all of these agencies. You will immediately cut off a big potential source of fraud. You will have slammed the door on hackers who start their attacks through phishing emails, greatly increasing the public’s peace of mind.
And you will have done your part to wipe out email’s original sin.
The Team at ValiMail