A new Global Cyber Alliance report says 18 of the 26 email domains managed by the executive office of the president have not begun implementing the Domain Message Authentication Reporting and Conformance protocol.
GCA said Wednesday it also found that seven of the White House email domains have deployed the DMARC protocol at the “none” level, which works to facilitate email monitoring but fails to block spoofed emails.
The report noted that Max.gov is the only White House email domain that has deployed the highest-level DMARC policy that works to block email spoofing and phishing activities.
“The lack of full DMARC deployment across nearly every EOP email address poses a national security risk that must be fixed,” said Philip Reitinger, president and CEO of GCA.
“The EOP domains that have recently deployed DMARC at its lowest setting include WhiteHouse.gov and EOP.gov, two of the most significant government domains,” Reitinger added.
EOP oversees email domains such as WhiteHouse.gov, Budget.gov, OMB.gov, USTR.gov, OSTP.gov and EOP.gov.
The Department of Homeland Security released a directive in October 2017 to help federal agencies protect emails and websites from cyber threats through the adoption of DMARC and other security protocols.