DMARC Adoption among Europe’s Higher Education Sector
In this series of DMARC adoption research, we’re taking a look at European institutions of higher education based on the number of faculty and staff. Not every school releases their enrollment numbers, which fluctuate from year to year, and we believe the number of employees conveys both the scale and complexity of an institution’s email infrastructure.
Educational institutions are big-ticket targets for cybercriminals and especially vulnerable to phishing and social engineering attacks.
- Schools hold a massive amount of personally identifiable information (PII) and other data, including intellectual property; student, faculty, staff and alumni records; financial data; research records; and fundraising records.
- Decentralized infrastructures, on- and off-campus network access, shadow IT and massive learning management systems equate to a broader, more difficult to protect attack surface with numerous entry points.
- Though IT departments are communicating cyber risks more and more, with an ever-changing size and composition, it’s difficult to keep campus communities consistently updated and trained on security issues. This leads to more employees and students falling for a phishing attack.
- Complying with GDPR, the primary privacy framework for students in Europe, is challenging because schools lack the resources and expertise required to establish and maintain cybersecurity best practices like DMARC.
“Adopting DMARC isn’t just about compliance—it’s a vital investment in protecting your institution’s reputation, safeguarding students, and ensuring secure communications. Prioritising this step is crucial to defend against email fraud and security risks. At dmarcian, we’ve successfully supported universities like Dublin City University in implementing DMARC, ensuring data security and compliance across Europe.”
—Dermot Harnett, Director of dmarcian Europe Headquarters
European Education Phishing Scams
With more than 40,000 students, 12,000 employees, and 1,000 degree programmes, the University of Manchester is one of the UK’s largest universities. In 2023, not long after Manchester onboarded a new CISO, cybercriminals accessed the university’s network via phishing email.
After gaining initial access to the network, the digital interloper was able to enter system resources and exfiltrate data. As of the writing of this article, the university’s latest update on the incident was 25 February 2025; you can find it here.
Luckily, with an internal team and external partners, Manchester was able to keep most of their services online during the end of the academic year—a particularly busy time for schools.
DMARC Status of the Top 500 European Institutions of Higher Education
Unfortunately, what we see with Europe’s top 500 higher education domains, again, based on the number of faculty and staff, is that merely a quarter are protected at an enforcement rate of p=quarantine, which places a suspect email in your spam folder, or p=reject, where the email that doesn’t pass DKIM or SPF authorization isn’t delivered at all.
The remaining 75% is a combination of domains with p=none, the DMARC monitoring-but-no-enforcement policy; a DMARC record that doesn’t follow best practices; and ones that have no DMARC record at all.
SPF Issues
SPF authentication has a tendency to confound domain owners, and the European higher education sector is no different. Our research revealed that 26% of the domains have SPF problems, whether that be too many lookups, lack of an SPF record, multiple SPF records, or invalid records, typically pointing to a syntax error.
A valid, accurate, and aligned SPF record will lead to improved authentication coverage, deliverability and security.
Lack of RUA reporting address
We found that 21% of the European higher education domains lacked an RUA reporting address, which determines where DMARC reports are sent. Including an RUA address is a best practice; without one, there’s no visibility into what is using your domain, for better or worse.
DMARC Status of the Top 100 UK Institutions of Higher Education
In the UK higher education sector, we found the highest level of DMARC policies at enforcement levels of p=reject and p=quarantine—46%. The balance of the domains, 54%, aren’t covered by the safety and assurance that DMARC offers.
Also on the bright side, the UK domains had the lowest occurrence of SPF problems (20%) and missing RUA tags (11%), so that’s progress indeed.
On the other hand, the UK’s Department for Science, Innovation & Technology’s 2024 Cyber Security Breaches Survey, an annual study on the impact of cyber breaches attacks on businesses, charities and educational institutions, reports that 97% of the higher education institutions experienced breaches or attacks in 2024.
“When examining the types of attacks, “Higher education institutions stood out in particular in terms of phishing attacks (100%), impersonation attacks (90%), viruses, spyware or malware (77%), unauthorised access of files or networks by staff (27%), unauthorised access of files or networks by outsiders (20%) and any other breaches or attacks (47%).”
DMARC Status of the Top 100 French Institutions of Higher Education
With 19% at p=reject and 13% at p=quarantine, 32% of the French higher education domains we surveyed are safe from being used in phishing attacks thanks to DMARC. The remaining 68% of the domains are unprotected and vulnerable to domain exploits because they lack a DMARC record; publish a p=none policy; or don’t follow DMARC, SPF and DKIM best practices. Of the five sets of domains we studied, we noticed that the 100 French higher education domains have the highest rate of SPF record problems and missing or invalid RUA tags.
DMARC Status of the Top 100 German Institutions of Higher Education
Among the top 100 higher education institutions in Germany, we find the lowest level of DMARC enforcement policies of p=reject or p=quarantine at 12%. The vast majority, 82%, of these domains are exposed; without DMARC, cybercriminals have full access to use these domains for phishing exploits.
DMARC Status of the Top 30 Irish Institutions of Higher Education
A little farther west, in Ireland, we found the lowest rate of DMARC enforcement with 7% of the top higher education domains at p=reject and 7% at p=quarantine. That leaves 86% of the domains we researched unprotected. Because of the lower number of institutions in the region, our sample size was 30 domains.
Ireland isn’t falling behind in DMARC adoption; the European Commission’s Internet Standards Deployment Monitoring reveals that 36% of Irish domains have a DMARC policy at an enforcement level, just above the average for the EU.
And as we noted in our DMARC adoption research on the retail sector in Europe, Ireland is the most phished country globally, with nearly two-thirds of Irish adults experiencing phishing attempts.
Learn about DCU’s DMARC journey as they bolster email security and help reduce their support load.
We’re here to help European schools
With a team of email security experts and a mission of making email and the internet more trustworthy through email security, dmarcian and our partners help academic institutions reach DMARC enforcement. We’re people helping people secure their domains from phishing and manage their email security for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.
