Data from Valimail’s 2026 State of DMARC Report establishes higher education as the worst-performing sector for DMARC enforcement of any industry category measured. Universities, colleges, and schools sit at just 33.71% enforcement – a figure that places the sector behind retail, manufacturing, financial services, healthcare, and every other vertical tracked. The only sector that comes close is arts and recreation at 31.61%.
Proofpoint’s February 2026 analysis of the top 100 Australian universities reached a consistent finding: 66% of those institutions have not implemented DMARC at the p=reject level. Another 7% of the surveyed institutions publish no DMARC record at all. In the United States and Canada, research from dmarcian found that 60% of university domains are susceptible to phishing exploits because they either have no DMARC record, contain errors in their records, or are set to p=none.
The sector is not static. A wave of institutions moved to enforcement in recent weeks. Clemson University began enforcing DMARC for third-party email senders on June 2, requiring all departments and divisions using external platforms to send university-domain email to verify their configurations meet the new policy. The University of Toronto brought its enforcement change live on May 1. Cornell University enforces p=reject on all @cornell.edu addresses, blocking messages worldwide that fail authentication. But progress is uneven, and the data makes clear the sector still has the furthest to travel.
Why University Domains Are So Complex to Protect
Higher education presents a DMARC enforcement challenge that few other organizations face at the same scale. A typical mid-size university might have dozens of departments, each running its own email communications with separately managed vendor relationships. Add alumni relations platforms, student housing notification systems, research notification services, learning management systems, athletics communications, ticketing platforms, HR workflows, student aid processing, and emergency alert systems – and the picture of a single institution’s sending infrastructure becomes genuinely complicated.
Every one of those third-party platforms sends email using the university’s domain. If any of them is not configured with proper DKIM signing or not covered by the institution’s SPF record, moving to p=reject will block their mail. And because universities typically operate in decentralized governance structures – where each school or department controls its own vendor relationships – the work of identifying and authenticating every sending source is not a single project. It requires cross-institutional coordination across stakeholders who may have no prior reason to communicate with the security team.
That complexity is the primary reason Valimail’s sector data looks the way it does. It is not that higher education security teams lack expertise or commitment. It is that the authentication surface area of a large research university is structurally larger and more distributed than most enterprise environments, and reducing it to a state where p=reject can be safely applied takes more time, more coordination, and more tooling than simpler organizations require.
What Attackers Do With Open University Domains
The practical consequence of an unenforced or absent DMARC policy on a university domain is that anyone can send email that appears to come from that institution. University domains are high-value impersonation targets.
Research from dmarcian documents real-world outcomes: phishing campaigns using university email identities have resulted in bank credential harvesting from students and staff, and – significantly – the redirection of student financial aid disbursements into fraudulent accounts. A convincing email appearing to come from financial.aid@[university].edu asking a student to update their direct deposit information does not require any access to university systems. It requires only that the university domain has no enforcement policy.
The threat is not limited to students. Faculty at research institutions receive grant notifications, data-sharing requests, and collaboration invitations referencing the university identity. Administrators handle payroll, vendor payments, and HR data. In each case, a spoofed message arriving from a recognized institutional domain bypasses the basic heuristic that recipients use to determine trust. A Proofpoint study found that 97% of top universities across Australia, the US, and the UK were putting students, staff, and stakeholders at risk of being impersonated by cybercriminals – a figure largely driven by the absence of enforcement-level DMARC.
The Enforcement Wave Is Real but Narrow
The announcements from Clemson and the University of Toronto are part of a broader pattern. Multiple institutions have quietly moved to enforcement in 2026 as they have worked through the source-mapping phase that precedes policy changes. Valimail’s sector figure of 33.71% means that more than one-third of measured higher education domains have completed that work – a meaningful number that did not exist two or three years ago.
But it also means that two-thirds remain at monitoring level or lower. For institutions at p=none, the aggregate reports being generated right now contain the information needed to map every legitimate sending source. That data already exists. The gap between having it and acting on it is operational, not technical.
For institutions that have not yet published any DMARC record, the first step is simply publishing p=none with a rua reporting address. Within weeks, the picture of what is sending as the institution’s domain becomes visible – including sources that IT teams may not have known existed.
The Structural Problem That Third-Party Email Platforms Create
The specific trigger for Clemson’s June 2 enforcement action – requiring third-party apps to meet DMARC compliance – points at the most common blocking point for higher education institutions trying to reach p=reject.
A university might have its core infrastructure on Microsoft 365 or Google Workspace, with DKIM signing properly configured for those environments. But when a department spins up a new email marketing platform, a student organization adopts a newsletter tool, or a research group configures automated notifications through a cloud service, that new sender immediately becomes an authentication gap. Unless someone proactively adds the service to the SPF record and configures DKIM signing, the first indication that anything is wrong is a DMARC aggregate report showing authentication failures – or, if enforcement is already on, bounced mail.
The Clemson model – requiring departments to submit a verification request before using a third-party email tool – is a governance approach that works around the decentralization problem. It inserts a checkpoint before new senders go live rather than trying to remediate them after the fact.
What Google and Microsoft Require Is Not Sufficient Protection
Both Google and Microsoft have set DMARC requirements for bulk senders, with p=none as the minimum. Universities that publish a p=none policy have satisfied the mailbox provider requirements. They have not protected their domain.
p=none tells receiving mail servers to deliver unauthenticated email and report on it. A phisher spoofing a university domain to target prospective students with a fake financial aid application, or impersonating a dean to conduct a gift card scam against staff, passes straight through a p=none policy. The institution receives an aggregate report. The victim receives the message.
The distance from p=none to p=reject is not primarily a technical distance. It is the time required to work through aggregate report data, identify every legitimate sending source, verify authentication for each one, and progress through p=quarantine before reaching full rejection. For a large research university with hundreds of sending systems, that process takes months. For a smaller institution with centralized IT control, it can take weeks.
The Standard That Is Emerging
What Clemson, Toronto, and Cornell have done represents the direction of travel for the sector. The institutional pressure to move beyond the mailbox provider compliance floor is increasing as phishing attacks on academic communities grow more sophisticated and as regulatory frameworks in several jurisdictions begin treating email authentication as a security baseline rather than a best practice.
Higher education has structural challenges that other sectors do not. But those challenges have solutions, and the institutions that have moved to p=reject demonstrate that the work is achievable. The 33.71% that have made it through is not a ceiling. It is the evidence that the path exists.
Every legitimate sending source your institution uses shows up in DMARC aggregate reports – but only if you have the right tools to read them. Excello Mail maps your full sending infrastructure, identifies every authentication gap, and guides you from p=none to p=reject without disrupting legitimate mail. Sign up free to Excello Mail and see exactly where your domain stands.