US Government Email Security Report
Email security analysis of US federal government agency domains.
Executive Summary
The US Government Email Security Report averages a grade of C with a score of 74.8 across 50 domains, indicating moderate but insufficient email security posture. While basic protocol adoption is widespread, many organizations have yet to enforce strict DMARC policies or implement newer standards like MTA-STS and DANE. This leaves a significant portion of the scanned domains vulnerable to email spoofing, phishing, and brand impersonation attacks.
Grade Distribution
Distribution of email security grades across 50 scanned US Government Email Security Report domains.
Protocol Adoption
Percentage of US Government Email Security Report domains with each email security protocol correctly configured.
Pillar Breakdown
Average scores across the three DoSPM pillars for all scanned US Government Email Security Report domains.
Top Performers
The 10 highest-scoring US Government Email Security Report domains by overall email security posture.
| # | Domain | Grade | Score | Identity | Shadow | Reputation |
|---|---|---|---|---|---|---|
| 1 | cbo.gov | B+ | 87 | 78 | 92 | 90 |
| 2 | fema.gov | B+ | 87 | 78 | 92 | 91 |
| 3 | dhs.gov | B | 86 | 74 | 92 | 91 |
| 4 | smithsonian.gov | B | 86 | 78 | 92 | 88 |
| 5 | commerce.gov | B | 85 | 76 | 92 | 88 |
| 6 | gsa.gov | B | 85 | 84 | 79 | 92 |
| 7 | hhs.gov | B | 85 | 70 | 92 | 92 |
| 8 | justice.gov | B | 84 | 76 | 92 | 84 |
| 9 | usda.gov | B | 84 | 66 | 95 | 90 |
| 10 | dot.gov | B- | 82 | 59 | 95 | 92 |
Common Vulnerabilities
The 10 most frequent critical and high severity failures across 50 scanned US Government Email Security Report domains.
| # | Failure | Severity | Domains | % Affected |
|---|---|---|---|---|
| 1 | Missing domain locks: clientDeleteProhibited | high | 50 | 100.0% |
| 2 | Weak DKIM RSA key (~1296 bits) for selector 'mandrill' | high | 45 | 90.0% |
| 3 | Weak DNSSEC RSA key: 336 bits | high | 31 | 62.0% |
| 4 | Domain enumerability: high | high | 15 | 30.0% |
| 5 | No MX records found | critical | 12 | 24.0% |
| 6 | Overly broad CIDR range: 2610:e8::/32 | high | 9 | 18.0% |
| 7 | No NS records found | critical | 9 | 18.0% |
| 8 | NSEC records enable zone walking | high | 8 | 16.0% |
| 9 | Domain expires in 51 days | high | 6 | 12.0% |
| 10 | Cannot check DNS consistency — no NS records | high | 5 | 10.0% |
Key Findings
- 100% of US Government Email Security Report companies have published a DMARC record
- While adoption is high, many policies remain at p=none, offering no enforcement protection.
- 24% of US Government Email Security Report domains score below a C grade
- A substantial portion of these companies have critical gaps in their email security posture.
- Identity is the weakest pillar with an average score of 63.7
- A 23.6-point gap between Reputation and Identity reveals that enterprises prioritize visible protocols over infrastructure hardening.
- Advanced protocols (MTA-STS, DANE, BIMI) average only 2% adoption
- Next-generation email security standards remain largely undeployed across the US Government Email Security Report, representing a significant opportunity for improvement.
Methodology
Scanning Approach
This report analyzes the email security posture of 50 domains from the US Government Email Security Report constituent list, of which 50 were successfully scanned. Each domain undergoes automated DNS and protocol checks that examine published records, validate configurations, and verify protocol compliance without sending any email traffic or interacting with mail servers beyond standard DNS queries and TLS connection probes.
Three-Pillar Model (DoSPM)
Every domain is evaluated across three security pillars, each representing a distinct dimension of email security posture:
- Identity
- Measures authentication and sender verification protocols including SPF, DKIM, DMARC, MTA-STS, DANE, and BIMI. These controls establish domain ownership and prevent unauthorized senders from impersonating the domain.
- Shadow
- Evaluates DNS infrastructure security including DNSSEC validation and DNS configuration hygiene. These controls protect against DNS spoofing, cache poisoning, and unauthorized zone modifications.
- Reputation
- Assesses transport security and domain standing including TLS configuration, certificate validity, and blacklist status. These controls ensure encrypted delivery and protect against interception and reputation damage.
Grading Scale
Each domain receives an overall score from 0 to 100, derived from weighted pillar scores. The score maps to a letter grade on a 13-point scale:
| Grade | Score Range |
|---|---|
| A+ | 97–100 |
| A | 93–96 |
| A− | 90–92 |
| B+ | 87–89 |
| B | 83–86 |
| B− | 80–82 |
| C+ | 77–79 |
| C | 73–76 |
| C− | 70–72 |
| D+ | 67–69 |
| D | 63–66 |
| D− | 60–62 |
| F | 0–59 |
Checks Per Domain
Each domain is evaluated against 57+ individual checks spanning all three pillars. Checks range from verifying the presence and syntax of DNS records to validating policy enforcement levels, cryptographic key strengths, certificate chains, and protocol interoperability. Results are classified by severity (pass, fail, warning, informational) and aggregated into pillar scores.
Data Coverage
Of the 50 domains in the US Government Email Security Report constituent list, 50 (100.0%) were successfully scanned and included in aggregate calculations. Domains without scan data or with scans older than 90 days are excluded from statistical analysis to ensure the report reflects current security posture.
Domain Lookup
Search and sort all US Government Email Security Report domains by email security posture.
| Domain | Grade | Score | Identity | Shadow | Reputation |
|---|---|---|---|---|---|
| whitehouse.gov | C | 76 | 59 | 78 | 92 |
| state.gov | D | 63 | 44 | 67 | 77 |
| treasury.gov | B- | 82 | 73 | 84 | 90 |
| defense.gov | C | 73 | 67 | 62 | 91 |
| justice.gov | B | 84 | 76 | 92 | 84 |
| dhs.gov | B | 86 | 74 | 92 | 91 |
| energy.gov | B- | 80 | 77 | 80 | 84 |
| commerce.gov | B | 85 | 76 | 92 | 88 |
| hhs.gov | B | 85 | 70 | 92 | 92 |
| ed.gov | C- | 71 | 55 | 65 | 92 |
| va.gov | C+ | 79 | 70 | 75 | 92 |
| epa.gov | D | 65 | 41 | 63 | 92 |
| nasa.gov | C+ | 78 | 67 | 75 | 91 |
| ssa.gov | F | 55 | 0 | 95 | 69 |
| irs.gov | F | 55 | 39 | 64 | 62 |
| usda.gov | B | 84 | 66 | 95 | 90 |
| dot.gov | B- | 82 | 59 | 95 | 92 |
| hud.gov | C- | 71 | 50 | 71 | 91 |
| gsa.gov | B | 85 | 84 | 79 | 92 |
| opm.gov | B- | 80 | 74 | 75 | 92 |
| sba.gov | D+ | 69 | 61 | 55 | 91 |
| nsa.gov | C | 74 | 63 | 67 | 91 |
| cia.gov | C- | 72 | 80 | 75 | 62 |
| fema.gov | B+ | 87 | 78 | 92 | 91 |
| cdc.gov | B- | 81 | 52 | 99 | 92 |
| nih.gov | D- | 61 | 59 | 63 | 61 |
| fda.gov | B- | 80 | 74 | 75 | 92 |
| sec.gov | D+ | 69 | 47 | 67 | 92 |
| ftc.gov | C+ | 79 | 77 | 75 | 84 |
| fcc.gov | C | 76 | 69 | 75 | 84 |
| nist.gov | C | 74 | 84 | 48 | 91 |
| noaa.gov | F | 56 | 55 | 36 | 77 |
| usps.gov | C+ | 77 | 76 | 79 | 77 |
| census.gov | F | 54 | 58 | 12 | 91 |
| fbi.gov | C+ | 77 | 72 | 67 | 92 |
| senate.gov | C | 74 | 70 | 62 | 91 |
| house.gov | D | 64 | 43 | 58 | 92 |
| gao.gov | C+ | 77 | 78 | 63 | 91 |
| cbo.gov | B+ | 87 | 78 | 92 | 90 |
| supremecourt.gov | C+ | 77 | 73 | 67 | 91 |
| tsa.gov | C+ | 79 | 67 | 79 | 91 |
| ice.gov | C+ | 79 | 67 | 79 | 91 |
| cbp.gov | D+ | 67 | 43 | 66 | 91 |
| atf.gov | C | 76 | 53 | 92 | 84 |
| dea.gov | C | 75 | 75 | 67 | 84 |
| usaid.gov | C+ | 77 | 95 | 44 | 91 |
| peacecorps.gov | B- | 82 | 61 | 92 | 92 |
| smithsonian.gov | B | 86 | 78 | 92 | 88 |
| archives.gov | D- | 62 | 38 | 56 | 92 |
| loc.gov | C | 75 | 40 | 92 | 92 |
No matching domains found.