U.S. Entity Email Security Intelligence Dataset:
A Multi-Sector DNS Authentication Registry Covering 801,359 Organizations

1. Introduction

Email remains the primary vector for phishing, business email compromise (BEC), and ransomware deployment. The Federal Bureau of Investigation's Internet Crime Complaint Center (IC3) reported $2.9 billion in BEC losses in 2023, with spoofed email domains the primary mechanism. Despite the availability of free, standards-based defenses — SPF, DKIM, and DMARC — adoption across U.S. organizations outside the federal government remains inconsistently measured and broadly insufficient.

Binding Operational Directive (BOD) 18-01 mandated DMARC enforcement for federal .gov agencies in 2017. No equivalent mandate exists for the 800,000+ state, local, nonprofit, and private sector organizations that constitute the majority of U.S. infrastructure. This study attempts to measure the resulting security gap at scale.

This paper makes four contributions:

1. A nationwide multi-sector entity registry of 801,359 organizations linked to internet domains, sourced from six authoritative government datasets.
2. Full-spectrum DNS profiling across seven record types (MX, SPF, DKIM, DMARC, CAA, MTA-STS, TLS-RPT) for 577,882 domains, the largest known entity-attributed scan.
3. Cross-sector benchmarking establishing baseline authentication rates for nonprofits, businesses, government, and education — enabling policy, procurement, and research comparisons.
4. Geographic attribution linking 434,659 entities to geocoordinates, enabling state- and county-level risk mapping.

2. Dataset Overview

2.1 Registry at a Glance

2.2 Sector Composition

3. Methodology

3.1 Entity Collection

All entity records are ingested into a unified PostgreSQL schema with normalized fields for entity name, type, subtype, state, county, primary domain, and geocoordinates. Entities are deduplicated via SHA-1 hash of normalized name, entity type, and state. Cross-source matching is performed for entities appearing in multiple registries (e.g., a nonprofit registered in both IRS BMF and SAM.gov).

3.2 DNS Profiling Pipeline

Each entity's website URL is resolved to its apex domain, then profiled concurrently across seven DNS record types using a Python-based pipeline with 50 parallel worker threads. The pipeline classifies email providers from MX records using a provider detection library covering 12 classified providers (Google Workspace, Microsoft 365, Proofpoint, Mimecast, GoDaddy, Zoho Mail, Yahoo Mail, Amazon SES, Mailgun, SendGrid, iCloud Mail, and Fastmail). Email security gateways are detected by comparing MX host names against gateway fingerprint patterns. All check results are stored with timestamps in a versioned dns_checks table, enabling longitudinal tracking.

3.3 Scoring Rubric

4. Findings

4.1 Email Authentication Adoption — National Overview

The headline finding is stark: only 5.6% of U.S. organizations have DMARC configured at enforcement level (p=reject). An additional 8.7% use p=quarantine, leaving 85.7% of all scanned domains without active spoofing prevention. Of the 38.8% with any DMARC record, 62.9% are monitoring-only (p=none), providing visibility without protection.

DKIM adoption at 36.9% is notably lower than SPF (69.0%). This gap is consistent with the relative complexity of DKIM key management versus SPF's single-record configuration. CAA and MTA-STS remain rare, below 2% nationally.

4.2 Grade Distribution

More than a quarter of all U.S. organization domains (28.6%) receive a Grade F — meaning they have either no SPF, no DKIM, and no DMARC, or only the weakest possible configurations. Combined D and F domains represent 53.1% of the scanned universe. Only 24.3% of domains achieve a B or better.

4.3 Email Provider Distribution

Denominator: 459,018 domains with classified MX provider. Excludes 118,864 domains where MX lookup returned an error or provider was not classified.

Google Workspace and Microsoft 365 are nearly equally deployed at national scale, with a combined 64.7% share of classified email infrastructure. This near-parity contrasts sharply with sector-level findings: K-12 education is dominated by Google (4:1 over Microsoft), while higher education and government invert this pattern toward Microsoft. The 5.4% of domains using Proofpoint as a gateway correlates strongly with higher security posture, as gateway-proxied domains exhibit substantially better DMARC adoption (see cross-sector analysis).

4.4 Domain Health — Freshness and Status

The 7.7% NXDOMAIN rate reflects domain expiration or deliberate abandonment, concentrated in older IRS-registered nonprofits and legacy SAM.gov registrations. The 12.6% dormant rate represents organizations with a web presence but no active email infrastructure — typically small nonprofits or businesses using hosted email outside their primary domain. Combined, 20.3% of registered domains are email-inactive, meaning phishing exposure analysis should focus on the 79.4% that are email-capable.

4.5 Cross-Sector Security Ranking

The sector gap is dramatic. Higher education leads with 71.4% of scanned domains achieving Grade A or B, while IRS-registered nonprofits achieve only 10.3% — a 61.1 percentage-point gap. The nonprofit disparity is largely explained by composition: the IRS BMF includes 200,000+ small civic organizations, religious groups, and community associations with minimal technical capacity. SAM.gov-registered nonprofits, which are federally active organizations with operational sophistication, achieve 35.2% A/B, three times better.

Government municipal entities outperform government state entities on F-rate (13.2% vs 21.4%), likely reflecting the broad state-level category including small administrative offices and legacy agencies alongside well-resourced departments. Businesses with federal contracts (SAM.gov) score significantly better than small businesses (10KSB) on A/B rate (33.8% vs 27.3%), consistent with federal procurement cybersecurity requirements creating upward pressure on contractor posture.

5. Provider-Security Correlation

Email security gateway users achieve 97.3% SPF and 75.7% DMARC adoption — the strongest posture of any provider category. Domains using budget hosting providers (GoDaddy, shared hosting) exhibit dramatically weaker authentication, with SPF at 51.3% and DMARC at 23.8%. Organizations using personal email providers (Yahoo, iCloud) as their domain email provider reach only 38.4% SPF adoption, representing the most exposed cohort after domains with no MX infrastructure at all.

6. Dataset Schema

7. Research Applications

7.1 Cybersecurity Policy

• Federal mandate gap analysis — model the impact of extending BOD 18-01 equivalents to SLTT and nonprofit sectors
• Sector risk benchmarking — identify which sectors require targeted intervention, funding, or regulatory pressure
• State-level comparison — rank states by aggregate domain security posture using geocoded entity data
• Phishing risk mapping — identify geographic concentrations of vulnerable organizations for threat intelligence

7.2 Enterprise Sales & Market Intelligence

• Addressable market sizing — quantify organizations by security posture, provider, and geography for outreach targeting
• Competitive displacement — identify GoDaddy / legacy-hosted domains as high-probability upgrade candidates
• DMARC deployment pipeline — 353,652 organizations with no DMARC enforcement represent an immediate addressable opportunity

7.3 Academic Research

• Longitudinal tracking — the versioned dns_checks schema enables time-series analysis of adoption trends
• Vendor ecosystem effects — quantify how provider choice predicts security posture independent of organization size
• Intervention measurement — baseline for measuring impact of CISA advisories, sector-specific mandates, or vendor defaults changes

8. Limitations

• Domain coverage. 181,983 entities (22.7%) lack an internet domain and are excluded from DNS analysis. These tend to be small nonprofits, rural municipalities, and legacy government entities.
• DKIM selector enumeration. Only 9 common selectors are checked (Google, Microsoft, and generic patterns). Organizations using non-standard selectors may be underscored on DKIM.
• Temporal validity. The scan was conducted in March 2026. DNS configurations change; organizations should be re-scanned on a quarterly cadence for longitudinal accuracy.
• IRS BMF recency. The IRS BMF is updated annually. Organizations dissolved between updates may still appear as active entities in the registry.
• Provider classification gaps. 118,864 domains (20.6%) returned MX errors or use infrastructure not yet in the provider classification library.

9. Data Availability

Delivery formats: CSV/Parquet, SQLite (pre-indexed), REST API, or interactive dashboard. All deliveries include full methodology documentation, source provenance, data dictionary, and reproducibility scripts (Python). Interactive exploration available at the MonitorWorkspace Email Scorecard.

Contact: research@monitorworkspace.com