We present the Lokentra U.S. Email Security Index (ESI), a comprehensive multi-sector entity registry with DNS email security profiling covering 577,882 domains across the United States. This paper describes the education subset: 20,021 K-12 school districts and charter LEAs and 3,171 higher education institutions spanning all 50 states and the District of Columbia, sourced from the NCES Common Core of Data (CCD) 2024-2025 school year, IPEDS, and state education agency directories. Each entity is linked to its internet domain, email provider, and a full DNS authentication profile (SPF, DKIM, DMARC) scored on a 100-point rubric. We find that K-12 DMARC adoption stands at 55.5%, compared to 89.0% for higher education — a 33.5 percentage-point gap attributable to institutional IT capacity, vendor ecosystem effects, and the absence of federal email security mandates for sub-federal entities. Google Workspace dominates K-12 email infrastructure at a 4:1 ratio over Microsoft 365, while higher education inverts this pattern. Only 8.2% of K-12 districts deploy email security gateways, versus 20.4% for higher education. The dataset includes phone numbers, physical addresses, grade spans, NCES LEAIDs, and operational school counts for 19,281 matched entities, enabling direct linkage to NCES enrollment, finance, and demographic datasets. To our knowledge, this is the largest entity-attributed email security dataset for the U.S. education sector.
Email remains the primary attack vector against educational institutions. Phishing campaigns targeting school districts have increased substantially, with the FBI's Internet Crime Complaint Center (IC3) reporting education as the most-targeted sector for ransomware incidents in 2023-2024. Despite growing federal attention to government cybersecurity, Binding Operational Directive (BOD) 18-01 — which mandated DMARC at enforcement level for federal agencies — does not extend to the approximately 130,000 K-12 schools and 6,000+ postsecondary institutions operating across the United States.
The security posture of these education entities is largely unmeasured. Existing studies focus on federal .gov domains or narrow state-level samples. No prior work has attempted a comprehensive, entity-attributed DNS analysis covering all U.S. K-12 districts and accredited institutions with email provider classification, security gateway detection, and authentication scoring.
This paper makes three contributions:
| Metric | Value |
|---|---|
| Total domains DNS-profiled | 577,882 |
| Domains alive (resolving) | 459,018 (79.4%) |
| Public sector entities | 268,719 |
| For-profit businesses (SAM.gov) | 239,883 |
| Nonprofits (IRS BMF) | 292,757 |
| States and territories covered | 50 + DC |
| DNS record types per domain | 7 |
| Entity schema fields | 40 |
| Metric | Value |
|---|---|
| K-12 school districts and charter LEAs | 20,021 |
| Higher education institutions | 3,171 |
| Total education entities | 23,192 |
| K-12 entities with website / domain | 15,568 |
| K-12 entities with phone + address | 19,281 (100% of CCD-matched) |
| K-12 entities with NCES LEAID | 19,281 |
| K-12 data freshness | 2024-2025 school year |
Education entities were collected from three primary source categories:
| Source | Coverage | Method |
|---|---|---|
| NCES Common Core of Data (CCD) 2024-2025 | K-12 districts, all 50 states + territories | Federal flat file (CSV) |
| NCES IPEDS | Higher education, all 50 states | Federal API |
| State Departments of Education | K-12 districts, charter organizations | HTML scrape, CSV, API |
| State Higher Education Coordinating Boards | Colleges, universities | HTML scrape, API |
| U.S. Census Bureau Gazetteer | Entity coordinates, county attribution | Federal dataset |
| SAM.gov Entity Registration | Federal registration cross-reference | Federal API |
The CCD 2024-2025 file (ccd_lea_029_2425_w_1a_073025.csv) provides 19,630 LEA records, of which 19,281 have SY_STATUS=1 (Open). These were ingested via a deterministic pipeline that matches existing entities by NCES LEAID and inserts unmatched entities as new records. The CCD file provides phone numbers, physical and mailing addresses, grade span, operational school count, charter status, and LEA type classification for 100% of open LEAs.
Each entity's website URL is resolved to its apex domain, then profiled across seven DNS record types (A, CNAME, MX, NS, SPF, DMARC, SOA) using parallel resolution. The pipeline classifies email providers from MX records, detects third-party email security gateways by comparing MX and SPF records, infers the underlying mailbox platform behind proxies, and scores each domain on a 100-point authentication rubric. Entities are deduplicated via SHA-1 hash of normalized name, type, and county.
| Configuration | Points |
|---|---|
SPF record with -all (hard fail) | 30 |
SPF record with ~all (soft fail) | 15 |
SPF record with ?all or +all | 5 |
| No SPF record | 0 |
| Configuration | Points |
|---|---|
| DKIM public key published | 30 |
| No DKIM key found | 0 |
Selectors checked: google, mail, selector1, selector2, s1, s2, k1
| Configuration | Points |
|---|---|
p=reject (full enforcement) | 40 |
p=quarantine (partial) | 20 |
p=none (monitoring only) | 10 |
| No DMARC record | 0 |
| Grade | Score | Interpretation |
|---|---|---|
| A | 90–100 | Full enforcement |
| B | 70–89 | Strong posture |
| C | 50–69 | Partial protection |
| D | 30–49 | Weak configuration |
| F | 0–29 | Minimal/no authentication |
DMARC receives the highest weight (40%) because it is the only protocol that directly prevents domain spoofing in the From: header — the field end users see and trust.
Email security gaps are not abstract technical metrics. To estimate the human exposure, we combined operational school counts from the CCD 2024-2025 file (100,081 schools across 19,281 matched K-12 districts) with NCES national averages: 381 students per school, 51 staff and educators per school, and 2 parents or guardians per student.
| Population | Total in Dataset | At Risk (No DMARC, 44.5%) | Critically Exposed (Grade F, 19.2%) |
|---|---|---|---|
| Students | 38.1 million | 17.0 million | 7.3 million |
| Parents and guardians | 76.3 million | 33.9 million | 14.6 million |
| Staff and educators | 5.1 million | 2.3 million | 980,000 |
| Total people | 119.5 million | 53.2 million | 22.9 million |
More than 53 million people — students, parents, and educators — are associated with K-12 districts that lack DMARC email authentication. Their districts can be impersonated by anyone sending a spoofed email. An additional 22.9 million are in Grade F districts with minimal or no email authentication at all. These are children, families, and teachers whose school communications can be forged without detection.
Estimates use NCES 2023-2024 national averages applied to operational school counts from CCD 2024-2025. Individual district enrollment data can be linked via NCES LEAID for precise counts.
| Segment | Google Workspace | Microsoft 365 | Ratio |
|---|---|---|---|
| K-12 school districts | 8,611 | 2,159 | 4.0 : 1 |
| Higher education | 579 | 1,680 | 1 : 2.9 |
K-12 districts overwhelmingly use Google Workspace, consistent with Google Workspace for Education's free or heavily discounted licensing for K-12. Higher education institutions invert this pattern, favoring Microsoft 365 at a 2.9:1 ratio. This is the first empirical quantification of this bifurcation at national scale.
| Protocol | K-12 | Higher Ed | National Avg | K-12 vs Higher Ed |
|---|---|---|---|---|
| MX records (any) | 86.4% | 93.0% | 79.4% | -6.6pp |
| SPF (any) | 79.7% | 91.9% | 69.0% | -12.2pp |
| DMARC (any) | 55.5% | 89.0% | 38.8% | -33.5pp |
DMARC at reject | ~12.2% | ~23.0% | ~5.6% | -10.8pp |
44.5% of K-12 domains have no DMARC record. These districts are fully vulnerable to domain spoofing — an attacker can send email appearing to come from superintendent@district.org and it will be delivered to recipients' inboxes without authentication failure. Higher education achieves 89.0% DMARC adoption, a 33.5 percentage-point lead likely attributable to larger IT teams, dedicated security staff, and higher cybersecurity awareness.
| Entity Type | Domains with MX | Using Gateway | Adoption Rate |
|---|---|---|---|
| Higher education | 2,767 | 564 | 20.4% |
| K-12 | 12,607 | 1,033 | 8.2% |
Only 8.2% of K-12 districts route mail through a third-party email security gateway (Barracuda, Proofpoint, Mimecast, etc.), the lowest rate of any public-sector entity type. Domains using gateways exhibit substantially stronger authentication posture:
| Cohort | SPF | DMARC |
|---|---|---|
| Gateway-proxied domains | 97.3% | 75.7% |
| Non-proxied domains | 89.2% | 53.0% |
| Uplift | +8.1pp | +22.7pp |
| Provider Category | Domains | SPF | DMARC | Gap |
|---|---|---|---|---|
| Email Security Proxy | 4,111 | 97.3% | 75.7% | 21.6pp |
| Enterprise Cloud (Google/M365) | 19,190 | 93.2% | 60.4% | 32.8pp |
| Government/Education Self-hosted | 563 | 90.2% | 55.1% | 35.1pp |
| Other/Self-hosted | 3,607 | 84.0% | 25.9% | 58.1pp |
| Budget Hosting (GoDaddy, IONOS) | 1,522 | 51.3% | 23.8% | 27.5pp |
Email infrastructure choice is strongly predictive of security posture. Districts using budget hosting providers exhibit SPF rates as low as 7.3% (GoDaddy), rendering them effectively unprotected. The vendor ecosystem a district selects determines its security floor.
| Field | Type | Description |
|---|---|---|
entity_name | string | Official district or institution name |
entity_type | enum | k12 or higher_ed |
entity_subtype | string | school_district, charter_district, community_college, university, etc. |
state | string | Two-letter USPS code |
county | string | County name |
primary_domain | string | Apex internet domain |
mx_provider | string | Classified email provider (Google, M365, etc.) |
has_spf / has_dkim / has_dmarc | boolean | Protocol presence flags |
dmarc_policy | string | none, quarantine, reject |
email_proxy | string | Security gateway service name |
underlying_provider | string | Real mailbox platform behind gateway |
dns_score | integer | 0–100 composite security score |
grade | string | A / B / C / D / F |
| CCD 2024-2025 Enrichment Fields | ||
nces_leaid | string | NCES LEA ID — canonical join key to enrollment, finance, demographics |
phone | string | District main phone number |
physical_address | string | Physical street address |
mailing_address | string | Mailing address |
grade_low / grade_high | string | Grade span (e.g., PK–12) |
operational_schools | integer | Number of operational schools in district |
lea_type | string | LEA type (regular, charter agency, regional, specialized) |
charter_flag | string | Charter status code |
source_name / source_url | string | Authoritative collection source with URL |
The ESI scoring rubric is applied uniformly across the full entity registry, enabling cross-sector comparisons:
| Sector | Source | Entities |
|---|---|---|
| Education (K-12 + Higher Ed) | NCES CCD 2024-2025, IPEDS, state agencies | 23,192 |
| For-profit businesses | SAM.gov federal entity registrations | 239,883 |
| Nonprofits | IRS Business Master File (BMF) | 292,757 |
| Public sector (non-education) | State registries, Census, EPA SDWIS | 245,527 |
| Total | 801,359 |
| Tier | Scope | Suggested Use |
|---|---|---|
| State Pack | Single state, all education entities | Regional studies, state policy |
| K-12 National | 20,021 K-12 districts + charters | National K-12 cybersecurity research |
| Higher Ed National | 3,171 institutions | Higher ed technology adoption |
| Full Education | K-12 + Higher Ed combined | Cross-segment comparative research |
| Full Registry | All 801,359 entities | Comprehensive multi-sector research |
| API + Updates | Quarterly re-scan, REST API | Longitudinal studies, dashboards |
Delivery formats: CSV/Parquet, SQLite (pre-indexed), REST API, or interactive dashboard. All deliveries include full methodology documentation, source provenance, data dictionary, and reproducibility scripts (Python).
Contact: research@monitorworkspace.com
Free demo: monitorworkspace.com/scorecard
Citation: Lokentra Research Team (2026). U.S. Education Sector Email Security Intelligence Dataset: A Multi-Source Entity Registry with DNS Authentication Profiling. Lokentra U.S. Email Security Index (ESI). https://lokentra-site.web.app/research/education-dataset-paper.html
Data sources: NCES Common Core of Data (CCD) 2024-2025; NCES IPEDS; State education agency directories; U.S. Census Bureau Gazetteer; SAM.gov; IRS Business Master File. All data derived from publicly accessible DNS records and government-published registries.
Competing interests: Lokentra develops MonitorWorkspace, a Google Workspace administration platform. The ESI dataset is produced by the Lokentra Research Division independently of the product team.