WASHINGTON ― Some 25 percent of emails claiming to be from the federal government are either unauthenticated or malicious, according to a new report from cybersecurity firm Agari.

In the report, Agari notes federal agencies will continue to suffer from excessive malicious emails without the usage of proper Domain-based Message Authentication (DMARC) monitoring policies. The company concluded that 90 percent of the 400 federal domains are vulnerable to these types of threats.

Agari believes that this is because 82 percent of federal domains do not use DMARC email authentication standards. This factor increasingly leaves constituents vulnerable to phishing and general email-based cyberattacks that can involve the theft of passwords, installation of ransomware, or the conning of users to send money.

DMARC is an email authentication system that discovers and potentially rejects unauthorized emails that appear from organization controlled domains before reaching the intended recipients. The U.S. Department of Homeland Security issued a binding operational directive this week that ordered DMARC usage as a part of a greater mandate to increase federal agency email and web security.

Agari showcases how even the few federal domains that do have DMARC programs are still vulnerable to virulent email activity, as they do not have a strict “reject” policy.

About 9.3 percent of federal DMARC domains have policies that only “monitor” authentication abuses and not block them. Furthermore, less than 1 percent of DMARC domains have a “quarantine” (spam folder) policy, and only 8.9 percent have the “reject” policy. Agari emphasizes how DMARC cannot be effectively used in a federal domain without having “quarantine” or “reject” policies.

Agari ultimately finds that many organizations have difficulty transitioning from the first stage of DMARC, i.e the “monitor policy,” to the “quarantine” and “reject” policies. This is because large organizations must identify who is sending emails on their behalf, and then authenticate said emails before their policy is changed. Agari seems to suggest that this process can be arduous for one organization alone, as they subsequently offer their analytics and workflow services to better help organizations transition to DMARC “reject” policies.