More than half of the email domains managed by the White House’s Executive Office of the President (EOP) have not yet implemented an email security tool designed to protect users from phishing attacks, according to new research.

The Department of Homeland Security (DHS) has required that federal agencies and departments operating .gov domains implement the tool, known as the Domain-based Message Authentication, Reporting, and Conformance (DMARC).

ADVERTISEMENT

DMARC enables organizations to flag potentially fraudulent emails that fail authentication tests or, when stronger settings are turned on, send the messages directly to a recipient’s spam folder or block them entirely.

According to the Global Cyber Alliance, only one of the 26 email domains managed by the EOP — Max.gov — has implemented the highest DMARC setting.

Seven EOP domains, including WhiteHouse.gov and EOP.gov, have implemented the tool on its lowest security setting, while the remaining 18 have yet to deploy DMARC at all.

Homeland Security announced last year that it would require federal agencies to implement DMARC, setting a mid-January deadline for agencies to comply with the directive.

The binding operational directive issued in October applies to all federal and executive branch .gov domains, with the exception of those used for national security, military or intelligence purposes.

Agari, a data security company that tracks the federal government’s use of DMARC, found that implementation of the tool surged immediately ahead of the January deadline, though 37 percent of agencies had not implemented the tool in time.

The Global Cyber Alliance, an organization to help prevent cyber crime founded by the New York district attorney’s office, the Center for Internet Security and the city of London Police, released statistics on the White House adoption of the tool on Wednesday.

“The lack of full DMARC deployment across nearly every EOP email address poses a national security risk that must be fixed,” Philip Reitinger, president and CEO of the group, said in a statement.