Updated Apr 4, 2018

Outgoing White House emails not protected by verification system

The White House

The White House as seen through a exterior fence in 2016. Photo: Yuri Gripas/AFP via Getty Images.

The security advocacy group Global Cyber Alliance tested the 26 email domains managed by the Executive Office of the President (EOP) and found that only one fully implements a security protocol that verifies the emails as genuinely from the White House. Of the 26 domains, 18 are not in compliance with a Department of Homeland Security directive to implement that protocol.

Why it matters: Imagine the havoc someone could cause sending misinformation from a presidential aide's account: Such fraudulent messages could be used in phishing campaigns, to spread misinformation to careless reporters, or to embarrass White House employees by sending fake tirades under their names.

The details: Email was not originally designed with security in mind. Any person can send any message with any email address listed as the sender. The security protocol DMARC allows an email provider to request that another server verify that an email was sent from the claimed sender.

  • DMARC allows a would-be-faked email server to tell the recipient of a scam to delete a fraudulent email, send it to spam or do nothing at all.
  • The Department of Homeland Security issued a binding directive in October that federal agencies had to start using DMARC within 90 days. Eighteen of the 26 EOP domains have not done this yet, per Global Cyber Alliance's work.
  • Seven of the remaining domains are using DMARC, but do not have it set to alert email providers to move fake emails from inboxes to spam or trash. Only one of the domains has it set to remove the emails from the inbox and head off a potential scam.

Get more stories like this by signing up for our cybersecurity newsletter, Codebook.

Go deeper