The top universities in the United States, the United Kingdom and Australia are lagging on basic cybersecurity measures, subjecting students, staff and stakeholders to higher risks of email-based impersonation attacks, according to new Proofpoint research. 

The research found that 97% of the top ten universities across each country are not taking appropriate measures to proactively block attackers from spoofing their email domains, increasing the risk of email fraud. According to the analysis, universities in the U.S. are most at risk with the poorest levels of protection, followed by the U.K., then Australia. 

These findings are based on Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of the top ten universities in each country. DMARC is an email validation protocol that protects domain names from being misused by cybercriminals. It authenticates the sender's identity before allowing a message to reach its intended destination.

DMARC has three levels of protection: monitor, quarantine and reject, with reject being the most secure for preventing suspicious emails from reaching the inbox.  

Domain spoofing is a massive issue that can impact not only organizations but also their customers and business partners as well, says Nicole Hoffman, Senior Cyber Threat Intelligence Analyst at Digital Shadows. According to Proofpoint, 3.1 billion domain spoofing emails are sent per day. Email spoofing and phishing have had a worldwide impact costing an estimated $26 billion since 2016.

So, why don't more organizations implement DMARC? "The main components may be time, resources, and awareness. Many organizations, in and out of the education industry, may not be aware of the importance of DMARC. Implementing DMARC can be a daunting task that, if implemented incorrectly, can break things and interrupt business operations. Some organizations hire third parties to help with implementation, but this requires financial resources that need to be approved," says Hoffman. 

It is important to note that DMARC will not protect against all types of email domain spoofing, so DMARC should be combined with other tools and security measures such as external email banners, security awareness training, and layered authentication policies involving changing payment information for employees or clients, Hoffman explains. "Most organizations have high-value data, such as employees' personally identifiable information (PII). Educational institutions store PII for not only the staff but thousands of students. For these reasons, it is also critical for higher education institutions to implement the principle of least privilege to ensure staff members only have access to what is absolutely necessary to perform their job functions."

For more information, visit