How do you know if that email from the IRS is really from the federal agency? It’s not always easy to tell if something you get from a .gov address is the real deal or just a scam.

But the Department of Homeland Security on Monday announced a move that should help put an end to impostor emails. All federal agencies have been given 90 days to implement DMARC, a basic email security feature that prevents spoofing.

“You got a lot of people trying to trick people into thinking they’re from the IRS, or vice versa, trying to get into US government systems via phishing attacks,” said Jeanette Manfra, an assistant secretary in the agency’s office of cybersecurity and communication, while announcing the order at the Manhattan District Attorney’s office.

DMARC, which stands for “Domain-based Message Authentication, Reporting and Conformance,” is used by the majority of consumer email systems, like Gmail, Outlook and Yahoo. But DMARC has a harder time finding its way to government email addresses, where people could pretend to be from a senator’s office or a government agency as part of a scam.

In July, Sen. Ron Wyden, a Democrat from Oregon, penned a letter to Manfra requesting that federal agencies be required to implement DMARC (PDF). That was after hackers reportedly used spoofed emails pretending they were members of the Pentagon in May. And the IRS reported a four-fold jump in spoofing attacks in 2016 from 2015.

Under the new requirements, DMARC would be able to stop these impersonation attacks, Manfra said.

The DHS is also requiring all federal agencies to update their websites to use HTTPS, a secured version of web pages that prevent snoops from seeing your traffic online. About half of the websites online use HTTPS, but about one-quarter of all federal government sites still don’t. 

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

iHate: CNET looks at how intolerance is taking over the internet.