A year ago, the Department of Homeland Security gave nearly all civil federal agencies 12 months to adopt an email security standard that prevents email fraud. In data as recent as Monday, 2 sets of researchers show that between a quarter and a half of those agencies' web domains failed to meet the Tuesday deadline.
Why it matters: Email was not designed to check whether a message claiming to be from an email address actually came from that address, and that's a big gap. Just imagine how much chaos an attacker could cause by sending fraudulent emails messages from "evacuation-warnings@EPA.gov." When properly set up, DMARC plugs that security hole.