An independent cybersecurity review of 10 major Texas colleges and universities finds a wide gap between flagship campuses and the 100% ideal domain security score. Sensitive student aid, payroll, research, and healthcare-adjacent communications still leave spoofing and mail-downgrade gaps on many .edu domains.
Using data from audit.emailmenow.com, we scored each primary campus domain on July 13, 2026 across identity, transport, website, and endpoint controls — including SPF, DKIM, DMARC, MTA-STS/TLS-RPT, and security headers.
Cybersecurity Scores — Texas Colleges & Universities
Overall compliance scores from audit.emailmenow.com. 100% is the ideal. Re-run any domain at the link to verify.
| Rank | Institution | Domain | Overall | Identity | Transport | Website | Level |
|---|---|---|---|---|---|---|---|
| 1 | Texas A&M University | tamu.edu | 76% | 65% | 45% | 92% | Good |
| 2 | UT San Antonio | utsa.edu | 70% | 90% | 15% | 45% | Good |
| 3 | University of North Texas | unt.edu | 66% | 75% | 45% | 45% | Above Average |
| 4 | Texas State University | txst.edu | 65% | 35% | 15% | 100% | Above Average |
| 5 | Texas Christian University | tcu.edu | 58% | 25% | 15% | 92% | Average |
| 6 | UT Austin | utexas.edu | 54% | 50% | 15% | 45% | Average |
| 7 | University of Houston | uh.edu | 44% | 25% | 15% | 45% | Below Average |
| 7 | Rice University | rice.edu | 44% | 25% | 15% | 45% | Below Average |
| 7 | Southern Methodist University | smu.edu | 44% | 25% | 15% | 45% | Below Average |
| 10 | Texas Tech University | ttu.edu | 34% | 0% | 15% | 45% | Weak |
Category Highlights
| Finding | Detail |
|---|---|
| Ideal score | 100% — 0 of 10 campuses reached it overall |
| Best overall | Texas A&M (tamu.edu) — 76% |
| Lowest overall | Texas Tech (ttu.edu) — 34% with 0% Identity |
| Website ideal | Only Texas State (txst.edu) hit 100% website |
| Transport gap | 8 of 10 scored 15% on transport (weak/missing MTA-STS enforce) |
| Email infra | All 10 showed 100% Email Infrastructure (hosted M365/Google) |

What the Results Reveal
- Scores span 76% down to 34% — none match the 100% ideal for campuses handling FAFSAs, payroll, and research IP.
- Identity weakness clusters at Rice, UH, SMU, TCU (25%), and Texas Tech (0%) — spoofed
@school.eduaid, housing, and HR mail stays deliverable. - Transport at 15% on eight campuses means inbound campus mail can still be downgraded without enforced MTA-STS.
- Strong website headers (A&M 92%, TCU 92%, Texas State 100%) do not offset weak identity — phishing arrives by email, not by clickjacking alone.
Website stack note
- UT Austin (
utexas.edu): Drupal behind current (running 11; latest 11.4.2)
Attack Exposure on Campus Domains
Campuses scoring near 44% or below are disproportionately exposed to:
- Financial-aid impersonation — fake FAFSA / refund / bursar notices that look like
@utexas.eduor@uh.edumail. - Payroll and direct-deposit fraud — spoofed HR asking staff to “update banking” after semester peaks.
- Research & vendor BEC — spoofed procurement changing lockbox details for lab or facilities vendors.
- Account-recovery abuse — fake SSO / Duo reset messages harvesting credentials for student and faculty portals.
- Post-breach follow-on phishing — credible after Texas Tech HSC, St. Thomas Houston, and SMU OAG filings.
Priority Fixes for Texas Higher Ed IT
- Enforce DMARC
p=reject(with alignment) on every student- and donor-facing domain — including hospital and foundation domains. - Publish MTA-STS
mode=enforceand TLS-RPT so inbound gradebook, aid, and health mail cannot be silently downgraded. - Separate marketing / alumni sending from core instructional domains so SPF soft-fail does not weaken primary DMARC.
- Train help desks on callback verification — campus ransomware often starts with help-desk social engineering, then abuses spoofable mail.
Related Coverage
- Texas community colleges audit
- Public systems vs private universities
- Texas school districts audit
- Government & education breach tracker
- Texas OAG YTD dashboard
Check any campus. Run a free Instant Cybersecurity Audit at audit.emailmenow.com or contact EmailMeNow for DMARC and MTA-STS enforcement on .edu estates.
Methodology: Primary campus domains audited July 13, 2026 via audit.emailmenow.com. Overall score aggregates identity, transport, email infrastructure, website, and endpoint signals. 100% is the ideal.