‘Mail servers of the House of Representatives lack protection against email spoofing’ – update

The mail servers of the House of Representatives lack security measures to prevent e-mail spoofing, making it possible to send e-mails on behalf of politicians. This is according to a study by Follow the Money.

The site partnered with a security researcher to check the mail servers. It states that the lack of SPF is the biggest problem that allows third parties to send e-mails in the name of politicians. This checks the domains that are allowed to send mails from a mail server. Because this measure was missing, among other things, Follow the Money was able to send e-mails from the Tweedekamer.nl domain. The site did this in the name of Mark Rutte and Geert Wilders, among others. Chamber chairman Khadija Arib informs the NOS that measures will be taken in the short term.

This creates a security risk, because convincing phishing emails can be sent in this way, for example. Last year, a study by the Home Office showed that a large number of municipalities also do not take sufficient measures to protect their e-mail. This involved looking at spf, but also measures such as dmarc and dkim.

Dkim is an authentication method that allows a recipient of an email to verify that a message from the sender’s domain was indeed allowed to be sent from there. Dmarc builds on these techniques and can be used, for example, to verify whether the content of an email has changed after it was sent. Spf and dkim are on the so-called ‘comply-or-explain’ list. Everything on this list is mandatory for government organizations when purchasing, purchasing, tendering or developing a new service of 50,000 euros or more.

Update, 11:56: The House of Representatives reports in a message that it is no longer possible to send e-mail on behalf of a member of parliament after ‘urgent measures have been taken’.