According to Axios, the security advocacy group Global Cyber Alliance has discovered that 18 of the 26 email domains used by the Executive Office of the President (EOP) are not in compliance with a Department of Homeland Security order to use a security protocol verifying that emails originate from genuine White House accounts.
The group also discovered that only one of the 26 has the security protocol fully implemented.
The security protocol DMARC allows an email provider to request that another server verify that an email was sent from the claimed sender.
- DMARC allows a would-be-faked email server to tell the recipient of a scam to delete a fraudulent email, send it to spam or do nothing at all.
- The Department of Homeland Security issued a binding directive in October that federal agencies had to start using DMARC within 90 days. Eighteen of the 26 EOP domains have not done this yet, per Global Cyber Alliance's work.
- Seven of the remaining domains are using DMARC, but do not have it set to alert email providers to move fake emails from inboxes to spam or trash. Only one of the domains has it set to remove the emails from the inbox and head off a potential scam. Imagine the havoc someone could cause sending misinformation from a presidential aide's account: Such fraudulent messages could be used in phishing campaigns, to spread misinformation to careless reporters, or to embarrass White House employees by sending fake tirades under their names.
What makes this revelation particularly interesting is President Donald Trump’s obsession with Hillary Clinton’s misuse of her own email server, indicating that she could be not trusted due to this failure.