Education email security in 2026: schools, MATs and universities under pressure

Education sits in an awkward position. Schools, multi-academy trusts (MATs) and universities handle pupil data, safeguarding records, parental payments and large research budgets, yet they often run on stretched IT teams and a sprawl of domains accumulated over years. That combination makes the sector one of the most spoofed and least consistently protected in the UK.

This guide sets out where education stands on email authentication going into 2026, why it is targeted, and the practical steps that actually move a school or trust to a defensible position. If you are new to the underlying controls, start with our plain-English guide to DMARC and come back.

Why education is a soft target

The Cyber Security Breaches Survey has repeatedly found that education providers report higher rates of attack than most other sectors. Phishing is the most common attack type by a wide margin, and email impersonation is the engine behind it.

Several factors compound the problem in education specifically:

• Trusted by everyone. Parents, pupils, suppliers and other institutions open email from a school without hesitation. A spoofed message from the school office carries instant authority.
• High-value, time-sensitive payments. Trip payments, fee invoices, supplier transfers and university tuition all create moments where a fraudulent "updated bank details" email can succeed. This is classic business email compromise.
• Domain sprawl. A single MAT may own dozens of domains: the trust, each academy, legacy school names, and unused variations bought "just in case". Every one of those is a spoofing opportunity if it is not locked down.
• Seasonal staff churn. Term cycles, new starters and shared mailboxes make it harder to spot an unusual message.
• Federated systems. Universities in particular send mail from many third-party platforms: admissions, alumni, library, payments, learning environments. Each one needs to be authorised correctly or it breaks.

Where the sector actually stands in 2026

Education has improved, but it is uneven. Most large MATs and universities now publish an SPF record and many have a DMARC record in place. The problem is what that record says.

A DMARC record set to p=none tells the world to monitor and report but to take no action when a message fails. It produces useful data, but it stops nothing. A large share of education domains that "have DMARC" are sitting at p=none, sometimes for years, mistaking the presence of a record for protection. We explain exactly why that is a false sense of security in why p=none is not protection.

The three common positions

• Nothing meaningful. No DMARC, or a broken SPF record. Common among smaller standalone schools and primaries with no dedicated IT. Anyone can send email as the domain.
• Monitoring only. A DMARC record at p=none, often added during a Cyber Essentials push or by an MSP, then left untouched. Visible but not enforced.
• Enforced. p=quarantine or p=reject, with SPF and DKIM aligned across all legitimate senders. This is the minority, but it is achievable.

The NCSC Mail Check change and what it means

Many education bodies relied on NCSC Mail Check for free DMARC reporting and monitoring. The public sector and education focus of that service has changed, and organisations that leaned on it need an alternative source of reporting and aggregation. NCSC guidance remains a sound reference for the standards themselves, but the day-to-day job of collecting reports, reading them and acting on them now sits with you or your provider.

The MAT problem: many domains, one policy mindset

For multi-academy trusts, the single biggest practical issue is scale. You are not protecting one domain, you are protecting a portfolio. Each academy domain, each legacy name and each parked variation needs its own correctly configured records.

Two principles help:

• Treat parked domains as live risks. An unused domain with no DMARC can still be spoofed. Old school names that pre-date a merger are a favourite for attackers because recipients still recognise them. Lock every parked domain to reject.
• Standardise, then exception. Apply a consistent baseline across the estate, then handle the genuine sending exceptions (a finance platform here, a comms tool there) deliberately rather than per-school guesswork.

The university problem: too many legitimate senders

Universities rarely struggle with caring about security. They struggle with the sheer number of authorised senders. Admissions, finance, alumni relations, faculties, the library, halls, students' unions and dozens of SaaS tools all send mail "as" the institution.

Moving to enforcement without breaking those flows requires patience. You read the DMARC reports, identify every legitimate source, bring each one into alignment with SPF or DKIM, and only then tighten the policy. Rushing it means blocking real admissions or fee emails, which is worse than the original exposure. Our guide on the safe route to enforcement sets out the staged approach.

What good looks like

• SPF published and accurate on every sending domain, within the lookup limits.
• DKIM signing enabled on all legitimate platforms.
• DMARC at p=reject (or at minimum p=quarantine) on every active domain.
• Every parked and legacy domain set to p=reject with a null SPF.
• DMARC reports collected and reviewed so new senders and spoofing attempts are spotted early.
• A named owner for the email estate, not an assumption that the MSP "has it covered".

What DMARC does not do

We are honest about limits. Enforcing DMARC stops attackers sending email from your exact domain. It does not stop look-alike domains (a trailing letter swapped, or a .org instead of .ac.uk), inbound phishing, or a genuine account that has been compromised through stolen credentials. Those need separate controls: lookalike monitoring, staff awareness, multi-factor authentication and good mailbox hygiene. DMARC is a foundation, not the whole building.

A sensible order of work

For a school or trust starting from scratch, the practical sequence is: confirm what domains you own, publish a DMARC record in monitoring mode to start collecting data, fix SPF and DKIM for every legitimate sender, then move steadily to enforcement, and finally lock down the parked domains. Each step is reversible if something breaks, which is why the order matters.

Education does not need to be the soft target it has been. The standards are free, the route is well understood, and the main thing missing is sustained attention.

If you run a school, MAT or university and you are not sure whether your domains are actually enforced or just monitoring, our free health check will show you exactly where each domain stands and what to fix first.