As Canada approaches the federal election on April 28, 2025, the importance of secure digital communication for political parties cannot be overstated. Email remains a critical tool for campaigns, fundraising, and voter engagement, but it also poses significant risks if not properly secured. In this follow-up to our 2019 article, we examine the current state of email authentication for Canada’s major political parties, focusing on SPF, DMARC, BIMI, and other key security measures.
We analyzed the domains used by the Liberal Party, Green Party, Bloc Quebecois, Conservative Party, and NDP to assess their adoption of email authentication protocols. Here’s what we found:
Conservative Party
- Domain: conservative.ca
- SPF: Invalid
- DMARC: Valid
- DMARC Policy: Quarantine
- BIMI: No records found
- Errors/Warnings: Multiple SPF TXT records
- ESP: Campaign Monitor (Marigold)
Grade: B-
The Conservative Party has implemented a DMARC policy of “Quarantine,” an improvement from 2019 when no DMARC was in place. However, their SPF record is now invalid, which could impact email deliverability. The presence of multiple SPF TXT records is a red flag and should be addressed.
Bloc Quebecois
- Domains: bloc.org, blocquebecois.org, em4636.blocquebecois.org
- SPF: Valid
- DMARC: No records found
- BIMI: No records found
- Errors/Warnings: None
- ESP: Sendgrid
Grade: F
Bloc Quebecois has made no progress in DMARC adoption since 2019, leaving them vulnerable to email spoofing. While their SPF records are valid, the absence of DMARC means they lack visibility into email fraud attempts. BIMI adoption is also missing.
Green Party
- Domains: awssend.greenparty.ca, greenparty.ca
- SPF: Valid
- DMARC: Valid
- DMARC Policy: Reject
- BIMI: No records found
- Errors/Warnings: None
- ESP: Amazon AWS
Grade: A
The Green Party has made significant strides in email security, upgrading their DMARC policy from “None” in 2019 to “Reject” in 2025. This is the strongest policy available, ensuring unauthenticated emails are rejected outright. Both domains have valid SPF and DMARC records, though BIMI remains unimplemented.
Liberal Party
- Domains: action.liberal.ca, liberal.ca
- SPF: Mixed (Valid for action.liberal.ca, Invalid for liberal.ca)
- DMARC: Valid for action.liberal.ca, Invalid for liberal.ca
- DMARC Policy: None
- BIMI: No records found
- Errors/Warnings: Invalid DMARC tag (`rl`) for action.liberal.ca
- ESP: Salesforce
Grade: C
The Liberal Party has introduced a new domain (action.liberal.ca) with valid SPF and DMARC records, but their primary domain (liberal.ca) has regressed with invalid SPF and DMARC. The DMARC policy remains “None,” indicating no action is taken on unauthenticated emails. The lack of BIMI adoption misses an opportunity to enhance brand trust.
NDP
- Domain: ndp.ca
- SPF: Invalid
- DMARC: Valid
- DMARC Policy: None
- BIMI: No records found
- Errors/Warnings: Missing `rua` tag for reporting
- ESP: NGP Van (Bird)
Grade: F
The NDP has regressed in email security, with an invalid SPF record and a DMARC policy of “None.” Worse, their DMARC reporting (`rua`) is now missing, reducing their ability to monitor email fraud. BIMI remains unimplemented.
Email authentication is a critical component of digital security, especially for political parties handling sensitive communications. While the Green Party has made commendable progress, the overall landscape is concerning. Moreover, the failure to adopt basic email authentication practices—and in some cases, critical errors—leaves these organizations vulnerable to fraud and undermines voter trust.
The general lack of improvement, and in some cases regression, over the past six years is deeply disappointing. As we approach the 2025 federal election, it’s imperative that all parties prioritize email security to protect their communications and maintain voter trust.
Note: No party uses Canadian service providers, which is out of step with the “Buy Canadian” movement.
What do you think about the current state of email authentication for Canadian political parties? Share your thoughts in the comments below!
