New Trump Email Security Concerns Extend to Email Authentication and DMARC

The tweet that started the whole thing.

The IT press is blowing up with stories about the insecurity of various Trump organization email servers. You can easily find dozens of them, but here’s one that will give you the fundamentals.

Since ValiMail is the email authentication expert, we felt we should look into the Trump organization’s approach to email authentication and what it does to protect itself and its customers against phishing.

I used our free DMARC checker that we make publicly available to determine the DMARC and SPF status for a set of domain names used by Trump organizations. Based on the revelations about other aspects of the organization’s email security, you may not be surprised at the results. As of posting time:

donaldjtrump.com (the campaign’s official web address): A DMARC policy is in place with no enforcement. That means the organization has visibility over phishing activity but does not block phish.

trumporg.com: No DMARC record. No visibility over nor blocking of phishing.

trumpic.com: No DMARC record; SPF record syntactically invalid. No visibility over nor blocking of phishing. Deliverability may suffer due to incorrect SPF configuration.

trumpgolflinks.com: No DMARC record. No visibility over nor blocking of phishing.

trump.com: No DMARC record. No visibility over nor blocking of phishing.

trumphotels.com: No DMARC record; SPF required 37 lookups. No visibility over nor blocking of phishing. Deliverability may suffer because SPF is limited to ten lookups and this domain has 37.

trumpgolf.com: No DMARC record; SPF record broken. No visibility over nor blocking of phishing. Deliverability may suffer because SPF uses deprecated mechanisms or macros that may not be supported by email receivers.

trumpinternationalrealty.com: No DMARC record; no SPF record. No visibility over nor blocking of phishing. Deliverability may suffer because no SPF authentication is in place.

trumpwinery.com: No DMARC record. No visibility over nor blocking of phishing.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.