America's universities and state governments are the easiest to impersonate.

If a domain doesn't enforce DMARC, anyone can send email that looks like it came from that organization, whether to its students, citizens, customers, or staff. It's the single most important defense against email impersonation and phishing, and it's free to turn on. So we checked who actually has.

Email Posture scanned 218 prominent domains across leading SaaS companies, the Fortune 500, top hospitals and health insurers, education-technology platforms, major universities, and U.S. state and local governments, using the same public DNS checks that power our free checker. For each one we measured whether the domain enforces DMARC (a policy of quarantine or reject), merely monitors (p=none, which stops nothing), or has no DMARC at all.

The laggards: higher education and government

While SaaS companies (100%) and the Fortune 500 (90%) have largely locked their doors, higher education and state/local government both sit at just 58% enforcement. That means roughly 42% of the best-known universities and governments we checked can be impersonated by email right now. These are institutions that send financial-aid notices, tax and benefits messages, and password resets to millions of people.

Seventeen of the 40 top universities we scanned publish a DMARC record set to p=none, among them several Ivy League schools and some of the largest public research universities in the country. They can see spoofing in their own reports, but they've told the world's mail servers to deliver it anyway.

The breach angle, handled carefully

We added healthcare and education-technology because both are frequent breach targets, and we wanted to see whether weak email authentication tracked with that. The honest answer is mostly no. Healthcare (80%) and edtech (79%) land mid-pack, well ahead of universities and government, and large hospital systems and health insurers are, by and large, doing this right.

The one soft spot is narrower. Among the platforms that hold the most K-12 student data, several of the most widely used classroom and student-information systems we checked have not turned on DMARC enforcement, leaving them at p=none or weaker.

Nobody is doing DNSSEC

One protection is neglected almost everywhere: DNSSEC, which cryptographically signs DNS records so they can't be forged in transit. Just 18% of all scanned domains are signed, and the Fortune 500 is the worst of any group at 10%. The biggest companies in America have skipped a basic, decades-old DNS protection.

How we tested

Every result was produced with live, public DNS lookups over DNS-over-HTTPS, the same checks behind the free Email Posture checker, so anyone can reproduce them. For each domain we read the DMARC record at _dmarc.<domain> and classified its policy (reject, quarantine, none, or missing), and checked for a DNSSEC signature. A few notes for fairness. This is a sample of prominent organizations, not a census. Federal .gov is excluded because DMARC is federally mandated there. DKIM is not part of the headline grade because its selector can't be discovered by an external scan. And the comparison with breach history is observational; we do not claim that weak email authentication caused any breach.

Source: Email Posture, emailposture.com. Findings reflect public DNS records as of June 20, 2026 and can change over time. If your organization has updated its configuration, contact us and we'll re-check and update the record. Free to cite with attribution and a link; full per-domain results available on request.