Back to news
Cybersecurity Alert
July 13, 2026 by EmailMeNow IT Consulting

Cybersecurity Audit of Top Texas Colleges & Universities in 2026

Independent audits of 10 major Texas universities show overall scores from 76% down to 34% — none reach the 100% ideal. Transport security averages just 23%, leaving campuses exposed to spoofed financial-aid and payroll phishing.

NewsEmail SecurityTexasHigher EducationCybersecurity
Ranked cybersecurity audit scoreboard for major Texas colleges and universities

An independent cybersecurity review of 10 major Texas colleges and universities finds a wide gap between flagship campuses and the 100% ideal domain security score. Sensitive student aid, payroll, research, and healthcare-adjacent communications still leave spoofing and mail-downgrade gaps on many .edu domains.

Using data from audit.emailmenow.com, we scored each primary campus domain on July 13, 2026 across identity, transport, website, and endpoint controls — including SPF, DKIM, DMARC, MTA-STS/TLS-RPT, and security headers.

Cybersecurity Scores — Texas Colleges & Universities

Overall compliance scores from audit.emailmenow.com. 100% is the ideal. Re-run any domain at the link to verify.

RankInstitutionDomainOverallIdentityTransportWebsiteLevel
1Texas A&M Universitytamu.edu76%65%45%92%Good
2UT San Antonioutsa.edu70%90%15%45%Good
3University of North Texasunt.edu66%75%45%45%Above Average
4Texas State Universitytxst.edu65%35%15%100%Above Average
5Texas Christian Universitytcu.edu58%25%15%92%Average
6UT Austinutexas.edu54%50%15%45%Average
7University of Houstonuh.edu44%25%15%45%Below Average
7Rice Universityrice.edu44%25%15%45%Below Average
7Southern Methodist Universitysmu.edu44%25%15%45%Below Average
10Texas Tech Universityttu.edu34%0%15%45%Weak

Category Highlights

FindingDetail
Ideal score100%0 of 10 campuses reached it overall
Best overallTexas A&M (tamu.edu) — 76%
Lowest overallTexas Tech (ttu.edu) — 34% with 0% Identity
Website idealOnly Texas State (txst.edu) hit 100% website
Transport gap8 of 10 scored 15% on transport (weak/missing MTA-STS enforce)
Email infraAll 10 showed 100% Email Infrastructure (hosted M365/Google)

Illustration: Texas university mail admins facing spoofed financial-aid phishing while DMARC is not fully enforced

What the Results Reveal

  • Scores span 76% down to 34% — none match the 100% ideal for campuses handling FAFSAs, payroll, and research IP.
  • Identity weakness clusters at Rice, UH, SMU, TCU (25%), and Texas Tech (0%) — spoofed @school.edu aid, housing, and HR mail stays deliverable.
  • Transport at 15% on eight campuses means inbound campus mail can still be downgraded without enforced MTA-STS.
  • Strong website headers (A&M 92%, TCU 92%, Texas State 100%) do not offset weak identity — phishing arrives by email, not by clickjacking alone.

Website stack note

  • UT Austin (utexas.edu): Drupal behind current (running 11; latest 11.4.2)

Attack Exposure on Campus Domains

Campuses scoring near 44% or below are disproportionately exposed to:

  • Financial-aid impersonation — fake FAFSA / refund / bursar notices that look like @utexas.edu or @uh.edu mail.
  • Payroll and direct-deposit fraud — spoofed HR asking staff to “update banking” after semester peaks.
  • Research & vendor BEC — spoofed procurement changing lockbox details for lab or facilities vendors.
  • Account-recovery abuse — fake SSO / Duo reset messages harvesting credentials for student and faculty portals.
  • Post-breach follow-on phishing — credible after Texas Tech HSC, St. Thomas Houston, and SMU OAG filings.

Priority Fixes for Texas Higher Ed IT

  1. Enforce DMARC p=reject (with alignment) on every student- and donor-facing domain — including hospital and foundation domains.
  2. Publish MTA-STS mode=enforce and TLS-RPT so inbound gradebook, aid, and health mail cannot be silently downgraded.
  3. Separate marketing / alumni sending from core instructional domains so SPF soft-fail does not weaken primary DMARC.
  4. Train help desks on callback verification — campus ransomware often starts with help-desk social engineering, then abuses spoofable mail.

Check any campus. Run a free Instant Cybersecurity Audit at audit.emailmenow.com or contact EmailMeNow for DMARC and MTA-STS enforcement on .edu estates.

Methodology: Primary campus domains audited July 13, 2026 via audit.emailmenow.com. Overall score aggregates identity, transport, email infrastructure, website, and endpoint signals. 100% is the ideal.