It’s time for another analysis of DMARC adoption data. Like in our prior analysis, we start with the ten million domains data set. But this time around, we’re going to filter it to show us only the top domains in higher education: domains in the .edu top-level domain (TLD).
There are just over 4,200 .edu domains here, and they’re relatively static, which makes it easy to look at and call out DMARC adoption rates and enforcement rates across the educational space.
Every month, we log various DNS records, including the domain settings for Domain-based Message Authentication, Reporting and Conformance (DMARC) and Brand Identifiers for Message Identification (BIMI) email authentication protocols. This gives us an interesting insight into how DMARC is evolving in higher education. As always, this data set was chosen to minimize concerns around vendor bias; this isn’t a list of domains defined by any particular DMARC vendor; the data starts with a snapshot list of top domains as defined by an unrelated third party.
Keep reading to learn more about the current state of DMARC adoption in higher education.
Breaking Down DMARC Trends in Higher Education
Like with much of the email ecosystem, DMARC adoption saw a boost at the beginning of 2024, thanks to the new Yahoo and Google sender requirements. Though targeted primarily at bulk/marketing email senders, the Yahoo/Google requirements apply to anyone sending significant quantities of any kind of email messages, and this definitely includes institutions of higher education.
DMARC adoption is broad in our snapshot of the higher education space; this data shows that 80% of domains in the space are aware of DMARC and have chosen to publish a DMARC record. This is a great start and is generally higher than other industries and community segments. Clearly, IT administrators at US institutes of higher learning are paying attention, and as a great starting point, they’re aware of what DMARC is and have investigated at least far enough to publish a DMARC record.
Published, But Not Protected
As with the global data, the vast majority of domains in the higher education space implementing DMARC records have chosen to implement a policy of p=none, meaning their domains, while compliant with those new sender requirements, are not protected from phishing and spoofing.
Adjusting the chart to show us only domains with DMARC implemented at enforcement, meaning the entire domain’s policy is set to quarantine or reject, tells us that just over 1,200 (30.7%) domains in the higher education space are properly protected. This leaves us with nearly 3,000 other .edu domains not protected against phishing and spoofing.
The state of BIMI in Higher Education
BIMI sender logos are growing overall globally, with more than 21,000 of the top ten million domains publishing a BIMI record as of August 2024. But when it comes to higher education, uptake isn’t as robust. Only around 70 domains out of the ~4200 domains monitored have published a BIMI record – and even fewer (16) have implemented a Verified Mark Certificate (VMC) or Common Mark Certificate (CMC).
Click here to learn more about how a BIMI sender logo can help improve trust and engagement for email education in higher education.
Universities and institutions of higher education: Protect your domains with a strong DMARC policy
As DMARC adoption grows, the next crucial step for IT administrators in higher education is to move beyond basic compliance and fully secure their domain. Understanding and acting on these insights can help elevate your domain’s security posture and protect your brand from the rising tide of email threats.
We know it can be tricky! Universities face significant challenges when it comes to implementing DMARC. Complex IT infrastructures, source constraints, awareness, and training can all make it difficult to move toward DMARC enforcement and full phishing and spoofing protection for domains.
However, the impact of not implementing DMARC properly can be significant, including financial and reputational damage, impact on students and staff, and more.
Nearly 50% of “.edu” domains with DMARC implemented are currently at a policy of none and would be better served and protected by moving to a DMARC policy of quarantine or reject.
If that’s how your own domains are configured today, we can guide you through the process of moving up to full protection. Start your journey toward full DMARC protection today!
Industry Research and Community Engagement Lead at Valimail
Al Iverson