The Email Security Standard Your Domain Probably Fails — And How to Fix It
Sachin Jain
Apr 30, 2026
Over the past few months, we have been analyzing email security posture across thousands of US public-sector domains — state agencies, school districts, local governments, and public universities. What we found is a gap that should not still exist in 2026.
In October 2017, the Department of Homeland Security — now CISA — issued Binding Operational Directive 18-01. It was not a suggestion. Every federal executive branch agency was ordered to enforce DMARC p=reject, publish SPF records, sign outbound mail with DKIM, enable STARTTLS on all mail servers, and deploy HTTPS with HSTS on every public-facing website. The timeline was aggressive: 90 days for initial DNS records, 120 days for HTTPS hardening, one year for full DMARC enforcement at p=reject with pct=100.
Every federal agency had to comply. By 2018, most did.
Then nothing happened for everyone else.
The SLED Gap
US SLED — state agencies, local governments, K-12 school districts, higher education — handles some of the most sensitive data in the country: student records, Medicaid claims, constituent PII, law enforcement communications. Based on DNS analysis across thousands of public-sector domains, these organizations overwhelmingly fail the email security baseline that the federal government met in 2018.
Some have no DMARC record at all. Many have one set to p=none, which means: “I can see that someone is spoofing my domain. We have chosen not to stop it.”
DMARC configured is not DMARC enforced. A p=none policy is a monitoring stance. It generates reports. It blocks nothing. Every phishing email that spoofs your domain still lands in the recipient’s inbox. The record exists, so it looks like you did something. You didn’t.
The federal government closed this gap by mandate. SLED got left behind — not because the standards are secret or expensive, but because no one mandated it for them. The gap between “we have a DMARC record” and “our domain is protected” is where most SLED organizations sit today.
The Human Impact: 58 Million People at Risk
Email security gaps are not abstract technical metrics. To understand what these numbers mean in human terms, we analyzed 19,281 K-12 school districts — matched against 100,081 operational schools from the NCES Common Core of Data (CCD) 2024-2025 file — and combined the results with NCES national averages: 381 students per school, 51 staff and educators per school, and 2 parents or guardians per student.
| Population | Total in Dataset | At Risk (No DMARC, 48.3%) | Critically Exposed (Grade F, 15.1%) |
|---|---|---|---|
| Students | 38.1 million | 18.4 million | 5.8 million |
| Parents and guardians | 76.3 million | 36.8 million | 11.5 million |
| Staff and educators | 5.1 million | 2.5 million | 770,000 |
| Total people | 119.5 million | 57.7 million | 18.0 million |
Nearly 58 million people — students, parents, and educators — are associated with K-12 districts that lack DMARC email authentication. Their districts can be impersonated by anyone sending a spoofed email. An additional 18 million are in Grade F districts with minimal or no email authentication at all.
These are children, families, and teachers who can receive forged phishing emails from their schools without detection. A spoofed email from a school district domain lands in a parent’s inbox looking identical to a legitimate message. Report cards, emergency notifications, payment requests, and field trip authorizations — all can be easily forged when DMARC is absent or unenforced.
Estimates use NCES 2023-2024 national averages applied to operational school counts from CCD 2024-2025. Individual district enrollment data can be linked via NCES LEAID for precise counts.
What BOD 18-01 Actually Requires
The directive covers five pillars. Here is what each one means in plain terms.
- STARTTLS — All mail servers must support opportunistic TLS encryption for mail in transit. This prevents passive eavesdropping on email between servers. It does not authenticate the sender — it encrypts the pipe.
- SPF (Sender Policy Framework) — A DNS TXT record that lists which IP addresses and mail servers are authorized to send email on behalf of your domain. Receivers check this record. If the sending server is not on the list, the message fails SPF.
- DKIM (DomainKeys Identified Mail) — A cryptographic signature attached to each outbound message. The receiving server verifies the signature against a public key published in your DNS. If the signature is valid, the message has not been tampered with in transit.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance) — The policy layer that ties SPF and DKIM together. DMARC tells receiving servers what to do when a message fails authentication: nothing (p=none), quarantine it (p=quarantine), or reject it (p=reject). It also specifies where to send aggregate and forensic reports.
- HTTPS + HSTS — All public-facing websites must serve traffic over HTTPS with HTTP Strict Transport Security headers, and must disable legacy protocols: SSLv2, SSLv3, RC4, and 3DES.
The Compliance Timeline
BOD 18-01 laid out a phased rollout:
- 90 days (January 2018): STARTTLS on all internet-facing mail servers. SPF records and DMARC p=none published for all agency domains.
- 120 days (February 2018): HTTPS on all public websites. HSTS enabled. SSLv2, SSLv3, RC4, and 3DES disabled.
- 1 year (October 2018): DMARC p=reject at pct=100 on all agency domains.
The directive references NIST SP 800-177 (Trustworthy Email) as the detailed implementation guide. CISA also released two open-source scanning tools — trustymail for email authentication checks and pshtt for HTTPS best practices — so agencies could audit themselves.
The standards are public. The tools are free. The timeline was generous. Federal agencies met it. SLED still hasn’t — and it has been nearly a decade.
The 100-Point Scoring Rubric
To make this measurable, we built a scoring rubric that maps directly to the BOD 18-01 requirements. Three components, 100 points total: SPF (30), DKIM (30), DMARC (40). DMARC carries the most weight because it is the enforcement mechanism — without it, SPF and DKIM are informational only.
SPF Scoring (30 Points)
The SPF record ends with a qualifier that tells receivers how to handle messages from unauthorized senders:
| Qualifier | Meaning | Score |
|---|---|---|
| -all | Hard fail — reject unauthorized senders | 30 |
| ~all | Soft fail — flag but allow | 25 |
| ?all | Neutral — no opinion | 15 |
| +all | Permit all — anyone can send as you | 5 |
| Missing | No SPF record | 0 |
-all is the only correct answer for a production domain. ~all is defensible during a rollout period. +all is worse than missing — it explicitly authorizes the entire internet to send as your domain.
DKIM Scoring (30 Points)
| Status | Score |
|---|---|
| DKIM selector present and valid | 30 |
| Missing or unverifiable | 0 |
DKIM is binary in this rubric. Either your domain publishes a valid DKIM key and your mail provider signs outbound messages, or it does not.
DMARC Scoring (40 Points)
| Policy | Meaning | Score |
|---|---|---|
| p=reject | Reject unauthenticated mail | 40 |
| p=quarantine | Send to spam | 30 |
| p=none | Monitor only — deliver everything | 10 |
| Missing | No DMARC record | 0 |
Letter Grades
| Grade | Score | What It Means |
|---|---|---|
| A | 90-100 | Full enforcement. SPF hard-fail, DKIM signed, DMARC rejecting. |
| B | 70-89 | Strong posture with room to tighten. Likely ~all or p=quarantine. |
| C | 50-69 | Partial protection. Authentication exists, but enforcement is weak. |
| D | 30-49 | Minimal. Records exist but provide little real protection. |
| F | 0-29 | Effectively unprotected. Missing critical records. |
A domain with SPF -all (30), DKIM present (30), and DMARC p=reject (40) scores 100 — a perfect A. A domain with no SPF, no DKIM, and DMARC p=none scores 10 — an F. Both domains “have DNS records.” One is protected. The other is not.
How to Check Yours
We partnered with MonitorWorkspace to build a free public scorecard that runs this rubric against any domain in seconds. Powered by Lokentra’s research into operational risk signals, it checks:
- SPF record presence and qualifier (-all vs ~all vs missing)
- DKIM selector presence and validation
- DMARC policy level (p=reject / p=quarantine / p=none / missing)
- MX provider identification (Google Workspace, Office 365, etc.)
- CAA record presence (controls which certificate authorities can issue certs for your domain)
No login required. No email capture. Enter a domain, get a score.
Run your domain through the MonitorWorkspace scorecard — no login required: https://www.monitorworkspace.com/scorecard
If you want a gentler introduction to DMARC before diving into the scoring — what it is, why it matters, how to read your own record — see the DMARC deep dive for non-technical readers.
Where Does Your Domain Stand?
The directive was in 2017. The compliance deadline was 2018. The threat landscape has only gotten worse. Business email compromise losses exceeded $2.9 billion in 2023, according to the FBI’s IC3 report. Domain spoofing remains the most common vector for impersonation attacks. And with AI-generated phishing now producing messages indistinguishable from legitimate correspondence, domains running p=none are far more exposed than when this directive was issued.
The federal government fixed this for itself in 2018. The standards are not new. The tools are not expensive. The DNS records take minutes to publish. The only question is whether your SLED organization has moved past p=none — or is still watching spoofed emails land in your stakeholders’ inboxes and calling it a monitoring strategy.
The feds caught up. Has your district, agency, or campus?
Get In Touch
Follow Us
