Some of the most sensitive U.S. government departments and agencies still aren’t using a basic email security feature that would significantly cut down on incoming spam or phishing emails.

Fifteen percent of all U.S. government domains still aren’t employing DMARC, or domain-based message authentication, reporting, and conformance policy on their domains, which email systems use to verify the identity that the sender of an email is not an impersonator.

New data from security firm Agari shows that out of over a thousand federal domains, 75 percent have a DMARC policy that either monitors, quarantines to your spam folder or entirely rejects all spoofed emails.

But the CIA, the NSA, and the Department of Defense are among the outliers still haven’t rolled out DMARC across their web domains.

That’s despite Tuesday’s deadline for BOD 18-01, a directive issued by Homeland Security that ordered the rollout of DMARC a year ago, following complaints by a leading Democratic senator.

BOD 18-01 aimed to improve email and cybersecurity across the federal government by introducing email encryption (STARTTLS) and doubling down on use of HTTPS certificates across the government. By cranking up the DMARC settings to its safest by outright rejecting unverified email, government departments would comply with the directive by bouncing any unauthenticated email from user inboxes.

That may not sound too important, but it means that now that a sizable portion of the federal government — and intelligence agencies — aren’t protected against an easy class of impersonated emails.

According to Agari’s breakdown:

CIA has 9 out of 10 domains without a DMARC record;

Neither of the NSA’s two domains have DMARC records;

The White House’s Executive Office of the President has half of its domains lacking a DMARC record’

The Director of National Intelligence, which co-ordinates the entire U.S. intelligence apparatus, also has all 17 domains without a DMARC record;

Defense Dept. has 32 out of 35 domains without a DMARC record;

And even Homeland Security, which instituted the policy, has 3 out of 33 domains without a DMARC record.

And those are the worst contenders. Only a handful of departments are fully compliant.

Proofpoint, which issued similar research Monday with approximately the same data — said that it estimates about 60 percent of the federal government is fully compliant with the directive.

The government isn’t the only outlier. Only one-third of the Fortune 500 are said to use DMARC on their domains.