As the U.S. gears up for Election Day, a new study from Comparitech reveals that many county websites tasked with sharing vital election information are failing to meet essential cybersecurity standards. Researchers found that 57 percent of these websites lack a .gov domain, a basic yet critical feature that establishes legitimacy. Instead, most use .com, .org, or .us domains, raising the risk that voters might fall prey to phishing scams or misinformation from maliciously spoofed sites.
The .gov domain is reserved exclusively for verified government organizations, as explained on Get.gov: “Only verified U.S. government organizations can register a .gov domain,” which is intended to assure the public that the information provided is authentic. This exclusivity contrasts with .com, .org, or .us domains, which "anyone can register." The lack of .gov domains in many counties heightens the potential for these sites to be spoofed by bad actors, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) warned recently.
As disinformation threats continue to evolve, 41 percent of county election contact emails also lack a basic email authentication protocol known as Domain-based Message Authentication, Reporting & Conformance (DMARC), which reduces the likelihood of phishing attacks. Alarmingly, some counties still rely on generic email providers like @gmail.com, @outlook.com, or @hotmail.com, which further weakens security.
A Cybersecurity Patchwork by the Numbers
The scope of cybersecurity gaps is extensive. Of the 2,913 county websites examined by Comparitech:
57% operate on non-.gov domains, broken down as follows:
548 use .us domains
530 use .org domains
469 use .com domains
97 use .net domains
13 use other less common domains like .co, .info, and .vote
85 sites lack Secure Sockets Layer (SSL) certificates, a protocol that ensures secure connections.
"County websites without a .gov domain and SSL certificate are inherently less secure," explains Comparitech. “These lapses expose voters to threats of spoofing, phishing, and disinformation.”
Swing State Security Gaps
The disparities extend into key swing states, where voter turnout and election security are especially critical. Arizona stands out as a model, with all counties securing a .gov domain and SSL protection. Meanwhile, Michigan’s numbers tell a different story, with 72 percent of its counties relying on non-.gov domains, and two counties lacking SSL protection. Georgia, Nevada, North Carolina, Pennsylvania, and Wisconsin also display varying levels of vulnerabilities, with many relying on .org, .com, or .us domains.
DMARC and Email Authentication Failures
The study also found that 41 percent of county election websites lacked DMARC authentication, a vital protocol that guards against email spoofing. Texas, a state with over 250 counties, is one of the largest contributors to this gap, with 71 percent of its election-related emails lacking DMARC. “Without DMARC, there’s a real risk that an attacker could send out phony emails impersonating election officials,” warns Comparitech. Generic email addresses such as @gmail.com and @yahoo.com are also prevalent in several states, further eroding trust.
The worst offenders for missing DMARC include:
Oklahoma: 94% of counties lacked DMARC.
Mississippi: 72% of counties had no DMARC.
Texas: 71% of counties were without DMARC.
States with Better Security Practices
Some states have implemented better security measures. Alongside Arizona, Delaware and Hawaii stand out, with all official election websites using .gov domains. Ohio, too, boasts a high rate of .gov domains (99 percent), while Nebraska follows closely at 97 percent. These states exemplify how secure digital infrastructure can help voters trust the information they find online.
Recommendations for Voters
Given these vulnerabilities, experts recommend that voters looking for information prioritize visiting their state’s official election websites, which often have higher security standards than individual county sites. This simple step can help voters avoid potential spoofed sites, misinformation, and phishing scams.
With just days until the election, time is running out for these counties to improve their cybersecurity. Comparitech’s findings serve as a stark reminder of the cybersecurity gaps that remain and the persistent threat they pose to voters seeking trustworthy information.