Most .Gov Sites Flunk E-mail Authentication Test

Online Trust Alliance Issues Report Card The White House website, along with the majority of other top .gov sites analyzed, received failing grades from the Online Trust Alliance for not preventing deceptive e-mail and phishing scams, according to the group's analysis of e-mail authentication adoption practices.

The Alliance a consortium of worldwide businesses that fosters the elimination of e-mail and Internet fraud, abuse and cyber crime found 56 percent of top federal government websites including,, and weren't employing proper e-mail authentication standards such as SPF/Sender ID and DomainKeys. E-mail authentication is seen as a best practice to help thwart e-mail and phishing abuse, which can lead to identity theft.

"It is incomprehensible that in this period of escalating online scams and diminishing consumer confidence these agencies ... continue to sit on the sidelines," Alliance Chairman Craig Spiezle said in a statement announcing the findings.

Still, during the week millions of citizens filed their federal tax returns online, the Alliance lauded the Internal Revenue Service for its adoption of best practices and commitment to curb online abuse. Recognizing the increasing levels of phishing and scams targeting U.S. taxpayers, the IRS adopted many best practices including Extended Validation SSL certificates, e-mail authentication and other security and privacy protection measures, the Alliance said.

Federal government agencies receiving a passing grade from the Alliance include the departments of the Air Force and Veteran Affairs, Census Bureau, Central Intelligence Agency, Coast Guard, Federal Deposit Insurance Corp., Federal Trade Commission, General Services Administrations, IRS, Securities and Exchange Commission and Social Security Commission.

Those flunking the Alliance test include the departments of the Army, Homeland Security, Housing and Urban Development, Treasury and Navy; Bureau of Alcohol, Tobacco, Firearms and Explosives; Centers for Disease Control and Prevention; Environmental Protection Agency; Federal Aviation Administration; Federal Bureau of Investigation; Federal Communications Commission; Food and Drug Administration; Secret Service; and the White House.

The Alliance said it conducted its analysis between April 3 and 13, examining the public DNS Domain Name Systems--records of government agencies, as well as millions of e-mails sent to individuals purporting to come from the legitimate domains. Criteria for top U.S. government sites included one or more of the following: past incidence of spoofing and phishing, site traffic and risk of potential exploit for financial data and/or disseminating misleading consumer information.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.