A majority of email domains at the Executive Office of the President lack any level of phishing and spoofing security protocol, according to research released April 3 by the Global Cyber Alliance, a partnership of law enforcement and research organizations.

In October 2017, the Department of Homeland Security issued a mandate that all agencies adopt Domain Message Authentication Reporting and Conformance protocols to protect their email domains from being spoofed by hackers. And while governmentwide compliance with the mandate has been mixed, only seven of the White House’s 26 email domains had instituted the bare minimum DMARC policy.

A DMARC policy of p=none, the minimum required by the DHS mandate, allows network administrators to monitor email activity without taking action to stop unauthorized emails.

In addition, only one White House email domain, MAX.gov, had made use of the most stringent DMARC policy, p=reject, which blocks messages that fail authentication.

“Email domains managed by the EOP are crown jewels that criminals and foreign adversaries covet,” said Philip Reitinger, president and CEO of the Global Cyber Alliance.

“The lack of full DMARC deployment across nearly every EOP email address poses a national security risk that must be fixed. The good news is that four new domains have implemented DMARC at the lowest level, which I hope indicates that DMARC deployment is moving forward. The EOP domains that have recently deployed DMARC at its lowest setting includes whitehouse.gov and EOP.gov, two of the most significant government domains. I hope that the government will move rapidly to block phishing attempts across all EOP domains.”

White House email domains, such as budget.gov, OMB.gov, whitehouse.gov, USTR.gov, OSTP.gov and EOP.gov, are widely recognized names, and a phishing attempt using a spoofed address from those domains is much more likely to get clicks, due to that pre-existing trust.