DMARC is an anti-email-spoofing tool that mail-server administrators can enable; it's designed to reject emails with forged return addresses.
Valimail, an email security company (and thus not a neutral party on this matter) probed the mailserver configurations of the three largest electoral districts in each state, and reports that 10 out of 187 of the servers they analyze have a properly configured DMARC system. The rest either do not have DMARC (66%) or had misconfigured it (28%). The researchers note that three key swing states (AZ, FL, NC) have no spoofing protection for the mailservers for their three largest districts.
The worry is that attackers could use the lack of DMARC to impersonate legitimate email addresses to send targeted phishing or malware in order to gain a foothold on election networks or launch attacks, steal data or delete it altogether, a move that would potentially disrupt the democratic process.
"It does not require a stretch to imagine attackers impersonating election officials via spoofed domains in order to spread disinformation, conduct voter misdirection or voter-suppression campaigns, or even to inject malware into government networks," said Valimail's Seth Blank, who authored the research.