White House email domains are sitting ducks for phishing attacks: study

Only one of the 26 email domains managed by the Executive Office of the President uses DMARC.
(Flickr / Hannah Rosen)

The White House’s delay in implementing an important email security protocol leaves its domain names vulnerable to being used in a large-scale phishing attack, according to a new study.

Only one of the 26 email domains managed by the Executive Office of the President (EOP) uses the Domain-based Message, Authentication, Reporting and Conformance (DMARC) protocol to block phishing attempts, the nonprofit Global Cyber Alliance said. Eighteen of those domains haven’t started deploying DMARC.

A Department of Homeland Security directive gave federal agencies until Jan. 15 to implement DMARC, which creates a public record for checking whether an email sender is authorized to transmit a message on behalf of a domain. Spokespeople for DHS and the National Security Council did not respond to questions on whether the directive applies to the EOP. The White House has previously claimed it was exempt from a governmentwide-reporting requirement under an IT security law.

Email domains managed by the Executive Office of the President, including,, and, “are crown jewels that criminals and foreign adversaries covet,” Philip Reitinger, the alliance’s president, said in a statement.


Although agencies have made progress implementing DMARC, more than a month after the DHS deadlines passed, an analysis by software vendor Easy Solutions found that over 40 percent of 311 government domains still lacked a DMARC record.

The federal government has been waging a years-long war on phishing that is far from over. In July and August 2015, a spear-phishing, or more targeted, attack that U.S. officials blamed on Russian hackers disabled the Joint Chiefs of Staff’s unclassified email system for more than two weeks.

A steady stream of generic, email-based attacks continues. The Pentagon blocks 36 million malicious emails a day, a defense official said in January.

“We hope the White House utilizes [the alliance’s] research as a call to action to join their government peers in taking this critical, commonsense step,” Patrick Peterson, founder of Agari, an email security firm that has also published research on DMARC, told CyberScoop.

An NSC spokesperson did not reply to questions on the study’s findings by the time of publication.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts