An analysis of 26 email domains managed by the Executive Office of the President (EOP) found that all but one of them lack sufficient DMARC (Domain-based Message Authentication, Reporting and Conformance) protections against spoofing used in phishing and spam campaigns.
The study is the work of the Global Cyber Alliance (GCA), an international organization that was co-founded by the City of London Police, the Manhattan District Attorney's Office and the Center for Internet Security, to prevent and combat malicious cyber activity. According to a GCA press release, most of the White House domains, 18 out of 26, have no DMARC policy in place at all.
Another seven do have a DMARC policy, but they currently only monitor email activity, rather than actively rejecting or quarantining emails that are not approved by authentication mechanisms such as SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail).
“Email domains managed by the EOP are crown jewels that criminals and foreign adversaries covet,” said Philip Reitinger, president and CEO of the GCA, in a press release. “The lack of full DMARC deployment across nearly every EOP email address poses a national security risk that must be fixed. The good news is that four new domains have implemented DMARC at the lowest level, which I hope indicates that DMARC deployment is moving forward."
DMARC is an authentication, policy, and reporting protocol that helps email domain owners and email receivers ensure that only communications that are verified to be from legitimate domains are transmitted, while emails that fail authentication policies are blocked or quarantined, due to the likelihood their addresses have been spoofed by malicious actors.
Phishing or spam emails using spoofed .gov addresses can be especially dangerous because they can trick government employees or ordinary citizens into giving away personal or sensitive information to what they mistakenly believe is a government official or agency.
Among the seven websites that currently have DMARC deployed at its most basic level -- monitoring only -- are WhiteHouse.gov and EOP.gov. It should be noted that it is not uncommon for domain owners to initially use DMARC in "monitor" mode for a given time period before shifting to a more secure quarantine or reject policy, in order to first make sure that legitimate emails are passing authentication checks.
The lone EOP domain that has implemented the most stringent DMARC policy, whereby suspicious emails are outright rejected, is Max.gov, which appears to be associated with the Office of Management and Budget's government-wide collaboration website.
In its release, the GCA comments that the EOP's limited DMARC is "surprising," consider that the Department of Homeland Security mandated in an October 2017 directive that all federal agencies implement a DMARC reject policy for all second-level domains and mail-sending hosts. However, agencies were allotted a full year from when this directive was issued to comply.
Budget.gov, OMB.gov, USTR.gov, OSTP.gov were among the other domains that GCA studied, but the organization does not specify in its release whether any of these domains were among the group with low-level DMARC policies. SC Media has reached out to both GCA and the Executive Office of the President's press office for additional comments.