← Blog
86% of Top Universities Have DMARC. Only 28% Actually Enforce It.

By DMARCdrift Team

86% of Top Universities Have DMARC. Only 28% Actually Enforce It.

4 min readdmarcuniversitieshigher-educationresearch

Top universities have the worst enforcement gap of any sector we track: 86% have published a DMARC record, but only 28% enforce it. A spoofed email appearing to come from Harvard's financial aid office or Stanford's registrar will be delivered to the inbox at 72% of these institutions.

The 58-point gap between deployment and enforcement is wider than Fortune 100 companies, federal agencies, and banks. Publishing a record at p=none signals awareness. It does not stop a single phishing email.

The numbers

We checked the top 50 universities by US News ranking in May 2026:

  • 86% have a DMARC record (43/50)
  • 28% at p=reject (14/50)
  • ~58% have DMARC but at p=none or p=quarantine (deployed, not protecting)
  • 14% have no DMARC record (7/50)

28% enforcement is the lowest of any category except state governments (26%).

Why university domains are high-value targets

Financial aid scams. Spoofed emails appearing to come from a university's financial aid office are a persistent phishing category. "Your aid disbursement requires verification" is a credible message when it comes from a recognized university domain. Students in financial need click.

Research grant phishing. Faculty and researchers receive funding-related communications regularly. Spoofed notifications about grant renewals, review requests, or award letters target valuable credentials and financial information.

Credential theft at scale. Universities are among the largest credential stores outside of social media platforms: student and staff accounts, library access, institutional email, research systems. A phishing campaign against a major university's email population has substantial yield.

Affiliated hospital systems. Many top universities have major affiliated medical centers. The phishing risk extends to the healthcare attack surface: patient data, clinical credentials, and HIPAA-regulated information.

Why universities are the worst case

Universities have universally complex email infrastructure. The central domain sends email from the registrar, financial aid, athletics, residential life, student health, advancement, and the main administrative office. Each school (law, medicine, engineering, business) often has its own IT staff and sending systems. Research institutes run their own platforms. Alumni relations and advancement run separate marketing stacks.

DMARC aggregate reports from a major university reveal a landscape that central IT didn't fully know existed: dozens of systems they didn't authorize are sending email as @university.edu. Before enforcement is safe, every one of those sources needs to be identified and either aligned or shut down.

Academic culture compounds the problem. In a bank or a hospital, a security mandate from the CISO gets implemented. In a university, departments and faculty have significant autonomy. A directive from central IT to stop sending email from a particular address can trigger an extended discussion rather than immediate compliance.

The comparison that matters

Federal agencies had structurally similar email complexity: dozens of agencies, independent IT departments, legacy sending systems, decentralized governance. CISA's BOD 18-01 mandate drove enforcement from near-zero to 70% in a few years.

Universities at 28% enforcement and federal agencies at 70% are running the same DNS standard. The difference is external mandate. EDUCAUSE (the higher education IT organization) could play the same role CISA played for federal agencies. Without that pressure, the 58-point gap will persist.

What getting to p=reject actually takes

The path for universities is the same as everywhere else, but the scope is larger:

  1. Collect aggregate reports for 60–90 days (longer at universities because the sending inventory is larger)
  2. Enumerate every sending source from the reports; expect to find systems you didn't know about
  3. Work with each school, department, and vendor to configure DKIM or SPF alignment
  4. Move to p=quarantine and monitor closely; expect to find sending sources you missed
  5. Move to p=reject

The University of California system, MIT, and others have completed this process. It takes longer at scale, but it's the same work.

The email authentication checker shows the current enforcement status of any university domain. If your institution is at p=none, the aggregate reports you're already receiving contain the roadmap.

Full university results are at the DMARC adoption research page. The email authentication checker shows your institution's current enforcement status.