More than 95 percent of email domains managed by the Executive Office of the President (EOP) have not fully implemented DMARC yet, according to research from the Global Cyber Alliance.
Only the Max.gov email domain has fully implemented the top defense against email phishing and spoofing, according to the research, despite DHS mandating implementation from all federal agencies last year.
Seven of the White House domains have implemented DMARC at lowest level “none,” which monitors email but does not prevent delivery of spoofed emails, and 18 out of 26 domains have not started deployment at all.
“Email domains managed by the EOP are crown jewels that criminals and foreign adversaries covet, risk that must be fixed,” said Philip Reitinger, president and CEO of the Global Cyber Alliance. “The good news is that four new domains have implemented DMARC at the lowest level, which I hope indicates that DMARC deployment is moving forward. The EOP domains that have recently deployed DMARC at its lowest setting includes WhiteHouse.gov and EOP.gov, two of the most significant government domains. I hope that the government will move rapidly to block phishing attempts across all EOP domains.”
Domains under the control of the EOP include Budget.gov, OMB.gov, WhiteHouse.gov, USTR.gov, OSTP.gov and EOP.gov – all well-known email domains that are valuable for phishers looking to trick government employees, government contractors, and U.S. citizens.