More than 95 percent of White House email domains lack a security feature that prevents them from being used in massive phishing attacks, according to a Wednesday report from a cybersecurity industry group.

The Homeland Security Department mandated those email protections across government in October with a January deadline, but about 40 percent of agency email domains still hadn’t installed the tool as of February 13.

Out of 26 EOP email domains, 18 have not even begun deploying the tool, known as Domain Message Authentication Reporting and Conformance, or DMARC, according to the Global Cyber Alliance report.

Among the eight remaining domains, only Max.gov had implemented DMARC to actually block spoofed emails, while the other seven had implemented it to monitor, but not prevent, delivery of those emails. Max.gov offers collaboration tools to government employees, such as collaborative document editing and file sharing.

In addition to Whitehouse.gov emails, the White House also manages email domains for the Office of Management and Budget, the U.S. Trade Representative and the Office of Science and Technology Policy among others.

DMARC essentially pings a sender’s email domain—irs.gov, for example—and asks if the sender—say, willie.nelson@irs.gov—is legitimate. If the domain says the sender is illegitimate, DMARC can send the email to the recipient’s spam folder or decline to deliver it entirely.

DMARC must be installed on both email services to work. If it is, the tool will both prevent federal employees from opening phishing emails from spoofed accounts and prevent hackers from spoofing federal domains to trick people into opening malicious emails.

More than 80 percent of commercial email inboxes are protected by DMARC because it’s standard among major providers including Google, Yahoo and Microsoft.

Prior to the DMARC order, about one in eight emails that appeared to be sent from a federal government address was fraudulent, according to research from the cybersecurity firm Proofpoint.