More than 25 percent of emails from federal email addresses are not actually from the government, according to an email security company with extensive federal contracts.

The figure comes from a study released Thursday by the contractor Agari.

Agari fights email fraud on behalf of more than 400 federal websites, including the official sites of the departments of Health and Human Services and Veterans Affairs, the Census Bureau and the Senate.

ADVERTISEMENT

Though emails list who a message is "from," the email protocol does nothing to check if a message actually was sent by the address listed in the "from" field.

There is a newer protocol that can automatically authenticate emails, known as DMARC. That protocol double-checks that messages were sent by their listed senders, allowing fake emails to be deleted or sent to spam. The Department of Homeland Security (DHS) this week issued a directive requiring all federal agencies to implement DMARC.

Agari and other providers can be used to set up DMARC and Agari based its statistics on DMARC authentication.

In more than 335 million federal emails Agari studied, more than 85 million were fake.

Agari notes that only 18 percent of federal web domains have DMARC. And, of those, more than half do not take advantage of DMARC's option to request email providers delete fraudulent emails or send them to spam folders.

The DHS order gave agencies 90 days to implement DMARC and one year to begin requesting that fabricated emails be deleted.