The top defense against email phishing and spoofing, says the report, is called the Domain Message Authentication Reporting & Conformance (DMARC). Only one of the domains from the EOP (Max.gov) has fully implemented this system. Seven domains have implemented DMARC at the lowest level ("none"), which does not prevent delivery of email from spoofed addresses. The security firm also says it found that 18 of the 26 domains haven't even started deploying DMARC. That means that scammers can easily use these official governmental email addresses to "steal money, trade secrets or even jeopardize national security."

"Email domains managed by the EOP are crown jewels that criminals and foreign adversaries covet," said GCA CEO Philip Reitinger in a statement. "The lack of full DMARC deployment across nearly every EOP email address poses a national security risk that must be fixed." The good news, he said, is that four new email domains have at least implemented the lowest level of DMARC, which might mean that the implementation of security might be moving forward. There still seems to be a ways to go, however, until all domains from the EOP are protected at the highest possible level.