Twenty-five percent of all emails that appear to come from federal agencies, including those with .gov domains, are either fraudulent or unauthenticated messages, according to findings from researchers at email security firm Agari.

The experts at the company warned that the high rate of fraud among domains that appear to be from official and trusted sources leaves government agencies at risk of falling victim to phishing attacks that may compromise important accounts or other sensitive information.

Agari found just nine percent of domains have implemented Domain-based Message Authentication, Reporting and Conformance, otherwise known as DMARC—a security protocol that is used combat phishing attacks that use spoofed email addresses.

DMARC is an authentication standard that will reject messages that come from an unrecognized or unauthorized source. This is a relatively common phishing tactic, in which an attacker will use a spoofed domain to make it appear as though an email is coming from a trusted source.

The protocol is widely considered to be an essential security protection for businesses and other organizations and is already used by a number of major email providers including Google and Microsoft.

Agari’s report found DMARC essentially eliminates spoofing attempts from government domains. In one case, Agari said DMARC prevented the delivery of more than 100 million fraudulent email messages in a 24 hour period.

The lack of DMARC protection with configuration to block phishing attempts on most government domains allows unauthentic emails to sneak through the cracks. Agari reported nearly 82 percent of the 1,300 federal domains it researched lack any form of DMARC protection.

Attackers seem to be quite aware of the security weakness in the government’s system as well. Agari found that 90 percent of the about 400 government domains the firm protects were targeted by deceptive emails with spoofed federal domains between April and October of this year. A total of 85.6 million fraudulent emails were sent during that period.

The government is not alone in its slow adoption of the security standard. Earlier this year, a study revealed that just 39 of the 500 companies—or about eight percent—listed in the Forbes 500 are currently making use of DMARC, leaving 92 percent of the largest and most profitable organizations in the world at risk of a security breach carried out through phishing emails.

Luckily, some agencies have started to come around on the protocol and will soon be secure from these types of spoofing attacks. Earlier this month, the United States Department of Homeland Security will soon require other federal agencies to adopt DMARC.

The change in policy, announced by Homeland Security's deputy undersecretary for cybersecurity Jeanette Manfra, will give federal agencies 90 days to implement the DMARC standard.

The change in policy comes after an ongoing push by Senator Ron Wyden, D-OR, who criticized the Department of Homeland Security earlier this year for failing to implement DMARC.