This paper presents a segment-by-segment analysis of email security posture across eight U.S. organizational sectors using the Lokentra Email Security Index (ESI) dataset of 801,359 entities and 577,882 DNS-profiled domains. We find dramatic variation in DMARC adoption — from 89.0% among higher education institutions to 22.4% among IRS-registered nonprofits — and in the proportion of Grade F (critically vulnerable) domains, ranging from 7.4% in higher education to 49.6% in the IRS nonprofit sector. The SAM.gov-registered population (businesses and nonprofits with active federal registrations) consistently outperforms their non-SAM counterparts, suggesting that federal procurement requirements create measurable cybersecurity uplift. Municipal government entities lead the public sector in security posture, outperforming state government entities on every measured dimension. Small businesses exhibit weaker posture than SAM.gov-registered large businesses despite identical tool availability, pointing to awareness and capacity barriers rather than technical constraints. Provider choice is strongly predictive of security posture across all sectors: organizations using email security gateways (Proofpoint, Mimecast) consistently achieve the highest DMARC rates, while budget hosting users are the most vulnerable cohort in every sector analyzed.
National email security statistics mask substantial sector-level variation. An aggregate DMARC adoption figure of 38.8% obscures the fact that nearly nine in ten higher education domains have DMARC, while fewer than one in four IRS-registered nonprofits do. This paper disaggregates the ESI dataset across eight segments, enabling sector-specific policy prescriptions, procurement recommendations, and research baselines.
The eight segments analyzed are: (1) IRS-registered nonprofits, (2) SAM.gov-registered businesses, (3) small businesses (10KSB program), (4) SAM.gov-registered nonprofits, (5) municipal government, (6) state government, (7) K-12 education, and (8) higher education. Together these segments represent 801,359 entities and 577,882 DNS-profiled domains spanning all 50 states and territories.
| Segment | Entities | Scanned | MX | SPF | DKIM | DMARC | Reject | A/B % | F % |
|---|---|---|---|---|---|---|---|---|---|
| Higher education | 3,171 | 700 | — | 91.9% | — | 89.0% | 23.0% | 71.4% | 7.4% |
| K-12 education | 20,021 | 15,568 | 86.4% | 79.7% | 59.6% | 55.5% | 12.2% | 47.1% | 19.2% |
| Government — municipal | 40,856 | 38,754 | 96.5% | 90.6% | 53.9% | 59.7% | 12.6% | 39.1% | 13.2% |
| Government — state | 28,935 | 27,814 | 86.2% | 80.7% | 52.9% | 51.1% | 10.6% | 37.6% | 22.3% |
| Nonprofits (SAM.gov) | 86,596 | 83,448 | 90.3% | 79.5% | 49.6% | 55.7% | 6.9% | 35.2% | 20.6% |
| Businesses (SAM.gov) | 144,623 | 133,809 | 95.8% | 87.9% | 50.1% | 53.5% | 11.7% | 33.8% | 18.3% |
| Small businesses (10KSB) | 95,260 | 93,214 | 90.9% | 81.9% | 41.5% | 43.5% | 6.3% | 27.3% | 17.8% |
| Nonprofits (IRS BMF) | 206,161 | 201,492 | 64.3% | 49.8% | 22.2% | 22.4% | 2.0% | 10.3% | 49.6% |
| National average | 801,359 | 577,882 | 79.4% | 69.0% | 36.9% | 38.8% | 5.6% | 24.3% | 28.6% |
Segments ranked by A/B grade rate. MX% and DKIM% omitted for higher education due to multi-entity/domain join artifact in small sample. DMARC% = any policy (none + quarantine + reject combined).
| Segment | A | B | C | D | F | Total |
|---|---|---|---|---|---|---|
| Higher education | 40 (5.7%) | 460 (65.7%) | 129 (18.4%) | 19 (2.7%) | 52 (7.4%) | 700 |
| K-12 education | 93 (0.6%) | 7,242 (46.5%) | 3,058 (19.6%) | 2,179 (14.0%) | 2,996 (19.2%) | 15,568 |
| Government — municipal | 502 (1.2%) | 15,502 (37.9%) | 10,526 (25.7%) | 9,197 (22.5%) | 5,129 (12.5%) | 40,856 |
| Government — state | 199 (0.7%) | 10,671 (36.9%) | 6,158 (21.3%) | 5,704 (19.7%) | 6,203 (21.4%) | 28,935 |
| Nonprofits (SAM.gov) | 350 (0.4%) | 30,178 (34.8%) | 21,288 (24.6%) | 17,601 (20.3%) | 17,171 (19.8%) | 86,588 |
| Businesses (SAM.gov) | 1,621 (1.1%) | 47,301 (32.7%) | 35,005 (24.2%) | 36,218 (25.0%) | 24,472 (16.9%) | 144,617 |
| Small businesses (10KSB) | 454 (0.5%) | 25,531 (26.8%) | 23,875 (25.1%) | 28,387 (29.8%) | 16,993 (17.8%) | 95,240 |
| Nonprofits (IRS BMF) | 210 (0.1%) | 20,949 (10.2%) | 37,620 (18.2%) | 47,358 (23.0%) | 100,022 (48.5%) | 206,159 |
The IRS Business Master File (BMF) encompasses all organizations granted 501(c) tax-exempt status — including small religious congregations, community sports leagues, and neighborhood associations alongside major hospital systems and national charities. This compositional breadth explains why the sector scores last on virtually every authentication metric.
| Metric | Rate | National Avg |
|---|---|---|
| MX records (any) | 64.3% | 79.4% |
| SPF (any) | 49.8% | 69.0% |
| DKIM | 22.2% | 36.9% |
| DMARC (any) | 22.4% | 38.8% |
DMARC at reject | 2.0% | 5.6% |
Only 2.0% of IRS nonprofits have DMARC at enforcement level. The 35.7% of domains with no MX record (versus 20.6% nationally) reflects a large number of organizations that have lapsed or abandoned their domains after achieving tax-exempt status. The 48.5% Grade F rate — 100,022 organizations — represents the single largest concentration of email-vulnerable entities in the ESI dataset.
Google Workspace (25.1%), unclassified/error (38.0%), other self-hosted (22.7%). The high "error" rate is consistent with a large proportion of domain registrations that have lapsed, leaving MX records dangling or returning errors. Microsoft 365 accounts for approximately 12.3% of classifiable IRS nonprofits.
Key finding: The IRS nonprofit sector is the single highest-priority intervention target in the ESI dataset. 77.6% lack any DMARC, and the sub-2% enforcement rate means virtually all 206,161 organizations can be impersonated with high delivery success.
SAM.gov-registered businesses are companies with active federal entity registrations, typically maintaining relationships with federal agencies as contractors, vendors, or grantees. This population exhibits notably stronger security posture than non-SAM businesses, consistent with federal procurement cybersecurity requirements (CMMC, NIST SP 800-171) creating upward pressure on contractor organizations.
| Metric | Rate | National Avg | vs. National |
|---|---|---|---|
| MX records (any) | 95.8% | 79.4% | +16.4pp |
| SPF (any) | 87.9% | 69.0% | +18.9pp |
| DKIM | 50.1% | 36.9% | +13.2pp |
| DMARC (any) | 53.5% | 38.8% | +14.7pp |
DMARC at reject | 11.7% | 5.6% | +6.1pp |
| Grade | Count | Share |
|---|---|---|
| A | 1,621 | 1.1% |
| B | 47,301 | 32.7% |
| C | 35,005 | 24.2% |
| D | 36,218 | 25.0% |
| F | 24,472 | 16.9% |
Microsoft 365 (37.8%), Google Workspace (25.2%), other self-hosted (20.1%). SAM.gov businesses show a clear Microsoft majority — consistent with federal agency preference for M365 creating vendor alignment in the contractor ecosystem.
Key finding: Federal contracting requirements lift security posture measurably above national average, but 46.6% still lack DMARC. With 24,472 Grade F domains, SAM.gov businesses represent a significant attack surface against federal supply chains via email impersonation.
The Goldman Sachs 10,000 Small Businesses (10KSB) alumni cohort represents established small businesses that have completed a structured business education program — slightly more sophisticated than a random small business sample, yet far below the SAM.gov contractor population in security posture. This segment is notable for the DMARC gap relative to large businesses despite equivalent tool availability.
| Metric | Rate | vs. SAM.gov Biz | vs. National |
|---|---|---|---|
| MX records (any) | 90.9% | -4.9pp | +11.5pp |
| SPF (any) | 81.9% | -6.0pp | +12.9pp |
| DKIM | 41.5% | -8.6pp | +4.6pp |
| DMARC (any) | 43.5% | -10.0pp | +4.7pp |
DMARC at reject | 6.3% | -5.4pp | +0.7pp |
| Grade | Count | Share |
|---|---|---|
| A | 454 | 0.5% |
| B | 25,531 | 26.8% |
| C | 23,875 | 25.1% |
| D | 28,387 | 29.8% |
| F | 16,993 | 17.8% |
Microsoft 365 (35.4%), Google Workspace (25.5%), other (19.8%). Provider mix is similar to SAM.gov businesses but with slightly higher Google share, reflecting smaller organization size correlating with Google Workspace for Business pricing.
Key finding: Small businesses have a 10pp DMARC gap versus SAM.gov contractors despite similar MX infrastructure, confirming that the awareness and procurement compliance gap — not technical capability — is the primary barrier. The 29.8% Grade D rate is the highest of any segment, indicating widespread partial configuration (SPF without DMARC).
SAM.gov-registered nonprofits are tax-exempt organizations with active federal entity registrations — typically foundations, research institutions, and community development organizations receiving federal grants or contracts. Their security posture is dramatically stronger than IRS-only nonprofits, confirming that the federal registration process and associated compliance environment drives measurable security uplift.
| Metric | SAM Nonprofit | IRS Nonprofit | Gap |
|---|---|---|---|
| MX records (any) | 90.3% | 64.3% | +26.0pp |
| SPF (any) | 79.5% | 49.8% | +29.7pp |
| DKIM | 49.6% | 22.2% | +27.4pp |
| DMARC (any) | 55.7% | 22.4% | +33.3pp |
DMARC at reject | 6.9% | 2.0% | +4.9pp |
| Grade A/B | 35.2% | 10.3% | +24.9pp |
| Grade F | 20.6% | 49.6% | −29.0pp |
Key finding: The 33.3 percentage-point DMARC gap between SAM nonprofits and IRS nonprofits is among the largest within-sector gaps in the dataset. Federal registration status is a stronger predictor of security posture than organization type, suggesting that expanding federal registration requirements or compliance-linked grant programs could drive significant adoption in the broader nonprofit sector.
Municipal government entities — city and county governments, local offices, and public-facing agencies — lead the public sector in email security posture. With 96.5% MX deployment, 90.6% SPF, and 59.7% DMARC adoption, they exceed state government entities on all three headline metrics, and achieve the lowest Grade F rate (13.2%) among government segments.
| Metric | Municipal | State Gov | National Avg |
|---|---|---|---|
| MX records (any) | 96.5% | 86.2% | 79.4% |
| SPF (any) | 90.6% | 80.7% | 69.0% |
| DKIM | 53.9% | 52.9% | 36.9% |
| DMARC (any) | 59.7% | 51.1% | 38.8% |
DMARC at reject | 12.6% | 10.6% | 5.6% |
| Grade A/B | 39.1% | 37.6% | 24.3% |
| Grade F | 13.2% | 21.4% | 28.6% |
Microsoft 365 (38.8%), other/self-hosted (25.8%), Google Workspace (18.5%). Municipal government has the strongest Microsoft majority among all segments, consistent with enterprise licensing agreements and state-level IT consolidation programs favoring M365.
Key finding: Municipal government's lower F rate (13.2%) compared to state government (21.4%) likely reflects more homogeneous IT environments — smaller cities typically standardize on a single vendor — versus state agencies with legacy and specialized systems across multiple departments. CISA's SLTT (state, local, tribal, territorial) cybersecurity programs appear to be delivering measurable results at the local level.
State government entities — including state agencies, departments, and state-level offices — underperform municipal government despite generally larger IT budgets and staff. The 21.4% Grade F rate is higher than K-12 education, reflecting the diversity of the state government category: while flagship agencies (DMV, health, treasury) are typically well-protected, the long tail of boards, commissions, and specialty agencies drags the sector average down significantly.
| Grade | Count | Share |
|---|---|---|
| A | 199 | 0.7% |
| B | 10,671 | 36.9% |
| C | 6,158 | 21.3% |
| D | 5,704 | 19.7% |
| F | 6,203 | 21.4% |
Microsoft 365 (32.2%), Google Workspace (24.3%), other/self-hosted (21.5%). State government has the broadest provider distribution, reflecting decentralized procurement and legacy systems across agencies.
Key finding: The B grade plurality (36.9%) suggests many state agencies have strong SPF and DKIM but haven't taken the final step to DMARC enforcement. The 10.6% reject rate is the second-highest in the public sector behind municipal government.
K-12 school districts and charter LEAs rank second overall in A/B grade rate (47.1%), a surprising result given the sector's reputation for limited IT resources. Google Workspace for Education's free or heavily discounted licensing to K-12 institutions — which includes enforced SPF and DKIM configuration by default — is a significant driver. The Google-Microsoft ratio of 4:1 means the majority of K-12 domains benefit from Google's baseline security posture.
| Metric | K-12 | Higher Ed | Gap |
|---|---|---|---|
| SPF (any) | 79.7% | 91.9% | -12.2pp |
| DMARC (any) | 55.5% | 89.0% | -33.5pp |
DMARC at reject | 12.2% | 23.0% | -10.8pp |
| Grade A/B | 47.1% | 71.4% | -24.3pp |
| Grade F | 19.2% | 7.4% | +11.8pp |
| Grade | Count | Share |
|---|---|---|
| A | 93 | 0.6% |
| B | 7,242 | 46.5% |
| C | 3,058 | 19.6% |
| D | 2,179 | 14.0% |
| F | 2,996 | 19.2% |
Google Workspace (65.2%), Microsoft 365 (15.2%), unclassified/error (14.7%). K-12 is the most Google-concentrated sector, consistent with Google Workspace for Education program.
Key finding: K-12's 46.5% Grade B rate is the highest of any segment, driven by Google Workspace's default SPF/DKIM configuration. The gap to Grade A is largely a DMARC enforcement gap — districts have authentication signing in place but have not moved to p=reject. The 2,996 Grade F districts serve an estimated 7.3 million students whose school communications can be impersonated without detection.
Higher education leads all segments in email security posture by a wide margin. With 89.0% DMARC adoption and 71.4% of institutions achieving Grade A or B, higher education performs at a level comparable to federally mandated government agencies. This is likely attributable to larger, dedicated IT security teams; higher institutional cybersecurity awareness driven by research security requirements; and the greater prevalence of Microsoft 365, which provides stronger default DMARC configuration than Google Workspace in education deployments.
| Grade | Count | Share | Interpretation |
|---|---|---|---|
| A | 40 | 5.7% | Full enforcement: SPF -all + DKIM + DMARC reject |
| B | 460 | 65.7% | Strong posture — largest grade cohort |
| C | 129 | 18.4% | Partial DMARC or DKIM missing |
| D | 19 | 2.7% | Weak configuration |
| F | 52 | 7.4% | Minimal authentication |
Microsoft 365 (55.8%), Google Workspace (14.0%), other/self-hosted (14.0%). Higher education shows a strong Microsoft majority — the inverse of K-12, consistent with Microsoft's Academic licensing programs targeting universities and the sector's stronger preference for on-premise Exchange migrations to M365.
Key finding: Higher education's 23.0% DMARC reject rate is the highest in the public sector. The 7.4% Grade F rate represents 52 institutions, primarily smaller community colleges and specialty institutions that may lack dedicated IT security personnel.
Federal entity registration status is the single strongest predictor of email security posture outside provider choice. SAM.gov-registered nonprofits outperform IRS-only nonprofits by 33.3pp on DMARC adoption (55.7% vs. 22.4%). SAM.gov businesses outperform small businesses by 10pp (53.5% vs. 43.5%). This consistent pattern across both the nonprofit and business segments confirms that federal procurement compliance requirements — even when not directly mandating email authentication — create an environment where organizations invest more broadly in cybersecurity hygiene.
Across all segments, organizations using email security gateways (Proofpoint, Mimecast) achieve the highest DMARC rates in their respective sectors. The gateway effect is consistent: proxied domains show 22.7pp higher DMARC adoption than non-proxied domains within the same sector. This holds across nonprofits, government, and business segments. Budget hosting users (GoDaddy, shared hosting) are the most vulnerable cohort in every segment analyzed.
Of the 38.8% of domains with any DMARC record, 62.9% are monitoring-only (p=none). This means 24.4% of all U.S. organization domains are in a DMARC "monitor without protect" state — they have visibility into spoofing attempts but provide no protection to recipients. Only 5.6% have moved to enforcement. The monitoring-to-enforcement transition is where the greatest near-term security gain exists across all segments.
IRS-registered nonprofits represent 25.7% of the ESI registry but 60.5% of all Grade F domains (100,022 of 165,322). These organizations represent a high-value impersonation target: nonprofits send donation requests, grant notifications, and community communications that recipients are trained to act on. With sub-2% DMARC enforcement, virtually any IRS nonprofit domain can be spoofed with high probability of inbox delivery.
All segment datasets are available individually or as the full registry. See the ESI Full Registry paper for licensing tiers and delivery formats.
Contact: research@monitorworkspace.com • Interactive scorecard: monitorworkspace.com/scorecard
Citation: Lokentra Research Team (2026). Email Security by Sector: Cross-Segment Analysis of 577,882 U.S. Organization Domains. Lokentra U.S. Email Security Index (ESI). https://lokentra.com/research/segments-paper.html
Data sources: IRS Business Master File; SAM.gov Public Extract V2 (March 2026); Goldman Sachs 10,000 Small Businesses directory; NCES CCD 2024-2025; NCES IPEDS; U.S. Census Bureau TIGER/Gazetteer. All DNS data derived from publicly accessible DNS records via parallel resolver pipeline (March 2026).
Competing interests: Lokentra develops MonitorWorkspace, a Google Workspace administration platform. The ESI dataset is produced by the Lokentra Research Division independently of the product team.