As the US election approaches, many people look to their local county websites for information on voting, whether that’s confirming their registration, finding their local polling station, or contacting the government about a query. To find an official source and avoid misinformation, voters often search for election websites with a .gov domain in the web address.
Comparitech researchers found that 57 percent of official US county websites displaying election information are non-.gov domains. As the official website for registering .gov domains, get.gov explains, “only verified U.S. government organizations can register a .gov domain” whereas “anyone can register a .com, .org, or .us domain. This can make it hard for the public to know if the people behind an online service are who they claim to be.”
Therefore, 57 percent of US counties using non-.gov domains could be spoofed and used to spread misinformation and phish information. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an announcement on October 18, warning voters of the variety of tactics that are likely being used by foreign threat actors to spread disinformation, including spoofed websites. This also follows a 2020 report by the Department of Homeland Security which found around 50 suspicious domains displaying information on voting and elections.
41 percent of the voting contact emails from US county websites also lack the basic email authentication protocol, Domain-based Message Authentication, Reporting & Conformance (DMARC). Worse still, nearly 100 websites displayed generic emails like @gmail.com, @outlook.com, and @hotmail.com.
DMARC is considered one of the best practices for email security. DMARC works to help ensure that, when receiving an email, the message verifies information about the sender. Ultimately, this goes toward preventing email-based attacks, such as spoofing and phishing.
To gather this information, we looked for websites displaying election information from each of the 3,144 US counties and the contact email addresses displayed on their official web pages. Our statistics and percentages are based on all of the counties with websites available. Those without a website (231) haven’t been included in the overall website stats. And those without an email address (590) haven’t been included in those stats.
Key findings
Of the US county election websites and emails we studied and found information for:
- 57% have non-.gov registered domains = 1,657
- 548 have .us sites
- 530 have .org sites
- 469 have .com sites
- 97 have .net sites
- 13 have other sites, e.g. .co, .info, and .vote
- 55% of counties in the seven swing states have non-.gov registered domains. All of Arizona’s counties have .gov domains. 72% of Michigan’s does not.
- 85 websites don’t have a Secure Sockets Layer (SSL) certificate, which authenticates the owner of the website and encrypts the connection
- 41% of email addresses displayed on the above websites have no DMARC authentication
- A further 99 email addresses were from generic domains such as @gmail.com
Nearly 60% of US counties don’t have .gov domains for election information
According to our findings, 1,657 of the 2,913 US county websites with election information don’t have .gov domains.
Aside from DC (which operates as its own state and city/county) and scored 100% due to its one website being .org, the five states with the worst rate of non-.gov domains were:
- Oklahoma = 95%: Of the 42 counties where we were able to find websites with election information, 40 were non-.gov domains. The majority (29) were .org and one lacked SSL protection.
- Kentucky = 91%: 114 counties have election-specific information and of these, 104 weren’t government registered. 75 have .us domains.
- Vermont = 91%: 10 of its 11 counties’ websites with election information were non-.gov domains. Six were .org and four were .com.
- Alaska = 86%: Just three counties have .gov domains and 19 do not. Nine were .org sites and seven were .us sites.
- Texas = 86%: From 252 county websites with election data, just 35 have a .gov domain. 162 have .us domains.
Other states within the top ten were South Dakota (86%), Louisiana (84%), Mississippi (81%), Kansas (79%), and Maine/New Mexico (joint with 75%).
Kansas has the highest number of websites without an SSL certificate–12 in total.
At the other end of the scale were Arizona, Delaware, and Hawaii where all official election websites have .gov domains. 87 out of 88 counties (99%) in Ohio have .gov domains and 89 of 92 websites (97%) in Nebraska have .gov domains.
41% of US county election websites have emails without basic authentication protocols
Out of the 2,554 county websites that provided direct emails on their voting/election information pages, just 1,439 have DMARC in place. 1,016 don’t have DMARC and a further 99 were generic email addresses. These generic addresses haven’t been included in our analysis of DMARC vs. no DMARC because these often provide false positives.
The states with the highest percentage of counties without DMARC authentication on their emails were:
- Oklahoma = 94%: As well as having the highest number of counties with non-.gov domains, Oklahoma also has the highest rate of counties with email addresses (48 out of 51) without DMARC authentication. One county also used a generic @yahoo email.
- Mississippi = 72%: 36 of the 50 emails we found don’t have DMARC. Two have generic emails from telecommunication providers, e.g. AT&T.
- Texas = 71%: Out of the 210 emails we identified, 150 don’t have DMARC. Seven have generic emails, including two @gmail.com, two @yahoo.com and one @windstream.net
- Nebraska = 69%: 59 of its 86 emails were without DMARC but no generic emails were used by counties.
- Utah = 61%: From the 23 emails on its county elections websites, just nine have DMARC authentication. It doesn’t have any generic emails, however.
Also within the top ten were Kansas (58%), New Mexico/Montana (tied on 57%), Minnesota (52%), and Arkansas/Nevada (tied on 50%).
The states with the highest number of counties using generic emails were:
- Georgia = 20: This included 10 @gmail.com accounts, five @windstream.net accounts, and two @yahoo.com accounts
- Arkansas = 10: This consisted of eight @gmail.com accounts, one @yahoo.com account, and one via a telecommunications provider
- Kentucky = 8: Including three @gmail.com, and one @yahoo.com, @outlook.com, and @email.com
- Texas = 7: (see above)
- Louisiana = 7: This featured three @yahoo.com, two @gmail.com, and two from telecommunications providers
The District of Columbia, New Hampshire, and Delaware all scored 0% due to listing only one email address for each state.
If we exclude these, the best-performing states were: Kentucky (5%), Florida and Ohio (13%), Maryland (14%), California (19%), and New Jersey (21%).
County election website and email security in the seven swing states
As we already noted, 55% of counties in the seven swing states have non-.gov registered domains. Best in class was Arizona where all of the counties have .gov domains. At the other end of the spectrum, 72% of Michigan counties do not.
- All of Arizona’s counties have .gov domains. All of them have SSL protection, too.
- 43% of North Carolina’s counties don’t have .gov domains. 18 have .org and 16 have .com. Two also lacked SSL protection.
- 48% of Pennsylvania’s counties don’t have .gov domains. 15 have .org and 10 have .us. Two also lacked SSL protection.
- 53% of Nevada’s and Wisconsin’s counties don’t have .gov domains. .org was the most favored non-.gov domain in Nevada while in Wisconsin it was .us. One site in Nevada and three in Wisconsin lacked SSL protection.
- 62% of Georgia’s counties don’t have .gov domains. 46 have .com sites, 30 have .org sites, and eight don’t have SSL protection.
- 72% of Michigan’s counties don’t have .gov domains. .org was found in 28 cases and two have no SSL protection.
US county election websites without .gov domains in the swing states
| State | # of Counties | .gov sites | .com sites | .org sites | .net sites | .us sites | Others | # of unknown | % that aren't .gov | # without SSL protection |
|---|---|---|---|---|---|---|---|---|---|---|
| Arizona | 15 | 15 | 0 | 0 | 0 | 0 | 0 | 0.00 | 0 | |
| Georgia | 159 | 60 | 46 | 30 | 6 | 14 | 3 | 61.54 | 8 | |
| Michigan | 83 | 23 | 14 | 28 | 10 | 8 | 0 | 72.29 | 2 | |
| Nevada | 17 | 8 | 1 | 5 | 2 | 1 | 0 | 52.94 | 1 | |
| North Carolina | 100 | 57 | 16 | 18 | 2 | 6 | 1 | 0 | 43.00 | 2 |
| Pennsylvania | 67 | 35 | 3 | 15 | 4 | 10 | 0 | 47.76 | 2 | |
| Wisconsin | 72 | 34 | 4 | 9 | 0 | 25 | 0 | 52.78 | 3 |
39% of county election emails in the swing states do not have DMARC authentication
Our findings also uncovered that, in the swing states, 39 percent of email addresses listed on county election websites don’t have DMARC authentication. While slightly better than average (41%), this still leaves a huge number of counties that aren’t adhering to basic email authentication practices.
- Arizona came out on top again here but three out of 12 email addresses don’t have DMARC. Nevertheless, no counties displayed generic addresses.
- 29% of Wisconsin’s counties have email addresses without DMARC authentication. But no generic addresses were used here either.
- 32% of North Carolina’s counties have email addresses without DMARC authentication. Two also used generic addresses.
- 36% of Michigan’s counties have email addresses without DMARC authentication. One also used a generic addresses.
- 47% of Pennsylvania’s counties have addresses without DMARC authentication. None have generic emails.
- 49% of Georgia’s counties have email addresses without DMARC authentication. 20 also used generic addresses, which, as we’ve seen, is the highest figure of all states.
- 50% of Nevada’s counties have addresses without DMARC authentication. None have generic email addresses.
US county election website emails without DMARC authentication in the swing states
| State | DMARC - Y | DMARC - N | Generic (e.g. @gmail.com) | # of Unknown | % of known emails without DMARC (generic not included) |
|---|---|---|---|---|---|
| Arizona | 9 | 3 | 0 | 3 | 25.00 |
| Georgia | 59 | 56 | 20 | 24 | 48.70 |
| Michigan | 47 | 27 | 1 | 8 | 36.49 |
| Nevada | 7 | 7 | 0 | 3 | 50.00 |
| North Carolina | 64 | 30 | 2 | 4 | 31.91 |
| Pennsylvania | 27 | 24 | 0 | 16 | 47.06 |
| Wisconsin | 40 | 16 | 0 | 16 | 28.57 |
Finding accurate information for the upcoming elections
Many US counties should improve the security and authentication of their websites and emails. But with little time before the election, those searching for key information and advice should first look to their official state websites, which you can find here. Relying on search engine results may lead voters to websites that have been spoofed, display misinformation, and/or are phishing for voter information.
Methodology
We used a list of 3,144 counties and searched each of these for a website displaying voter/election information. Only websites from specific counties were used. For example, when searching for Cochise County, Arizona, the specific county website (https://www.cochise.az.gov/292/Elections) was noted. Those displayed by websites such as ballotready.org, usvotefoundation.org, or the state website were not used. When one of these websites was located, we noted the email address displayed on the voting information page, e.g. elections@cochise.az.gov.
We noted whether or not each of these websites had SSL protection and ran a DMARC check on the email address. Generic emails (e.g. @gmail.com, @yahoo.com, and from telecommunications companies) were excluded due to the possibility of false positives.
This data is based on the results we found during our research timeframe (September and October 2024), meaning things may have changed since we obtained the results.
Data researchers: Anthony Moore, Mantas Sasnauskas
