The Australian Education Posture Baseline measures the public-facing security posture of Australian education institutions — universities, TAFEs and schools on .edu.au domains. Each quarterly edition scans a deterministic sample across the Security, Email and Domain categories of every Red Bridge Cyber scan. Education sits in a distinctive position in the comparison: institutions that hold large volumes of personal data and run substantial IT estates, with security capability ranging from a university SOC to a school office — a sector every Australian family interacts with.
When an article on this site says something like (Red Bridge Cyber Education Posture Baseline, June 2026), this page is what that citation points to.
Current edition — June 2026
The June 2026 edition (the first) scanned a deterministic sample of 75 domains drawn from a validated pool of Australian education institutions (.edu.au), completing on 12 June 2026. Results below; how every number is produced is on the methodology section.
Executive summary of findings
The June 2026 edition scanned 75 Australian education institutions — universities, TAFEs and schools. The sector that holds more personal data per organisation than almost any other medians an E (42/100) on DNS hardening, a B on email posture, and an E (36/100) on web security.
- Security is the weak flank. 41% of scored sites land in the F band; 77% publish no Content-Security-Policy and 55% send no HSTS header.
- The DMARC gap is wide for a data-heavy sector. 95% publish a DMARC record but only 57% enforce it — nearly two in five institutions are monitoring spoofing of their own domain without stopping it.
- The mail basics are genuinely strong. SPF at 99% and DKIM at 89% lead every cohort — school and university mail flows are professionally run.
- DNS hardening is near-absent. DNSSEC 3%, CAA 15%, MTA-STS 4%.
Full results tables below. 75 domains sampled, with every unscorable domain disclosed with its reason.
Email posture — can the domain’s mail be trusted, and can the domain be spoofed? Median grade B (81/100). Share of the cohort passing each check:
| Check | % passing |
|---|---|
| Mail-routed (MX with STARTTLS) | 96% |
| SPF | 97% |
| DMARC | 56% |
| DKIM | 89% |
| MTA-STS | 1% |
| TLS-RPT | 4% |
| DNSSEC | 3% |
| Reverse DNS | 93% |
All 75 sampled domains were scoreable for email.
Domain
Domain (DNS) posture — the records that protect the domain name itself. Median grade E (42/100). Share of the cohort with each control in place:
| Check | % with control |
|---|---|
| SPF record | 99% |
| DMARC published | 95% |
| DMARC enforced (quarantine/reject) | 57% |
| DNSSEC | 3% |
| CAA record | 15% |
| MTA-STS | 4% |
| IPv6 at the apex | 24% |
All 75 sampled domains were scoreable for domain.
Security
Web security posture — TLS configuration, security headers and the basics of a defensible website. Median grade E (36/100), the weakest category measured. Share of scored sites missing each control:
| Check | % missing |
|---|---|
| HTTPS enforcement | 15% |
| HSTS | 55% |
| Content-Security-Policy | 77% |
| X-Content-Type-Options (nosniff) | 41% |
| Referrer-Policy | 70% |
| Permissions-Policy | 82% |
| TLS 1.3 | 22% |
| security.txt | 93% |
73 of 75 sampled domains scored (2 redirect-only — see Commentary).
Commentary
Education sits exactly where its structure predicts: the centrally-run mail infrastructure is some of the best measured in this programme, while the web surface — often spread across faculties, campaigns and legacy sites — trails well behind. An institution holding enrolment records, health details and family financial data medianing an E on public web security is the gap worth sitting with; for most of these organisations the fixes are configuration, not procurement.
The DMARC pattern deserves its own line for this sector. A spoofed school or university domain is a phishing instrument aimed at parents and students, and 95% of institutions have published the record that could stop it — but only 57% have switched enforcement on. The remaining step costs a decision, not a budget.
Two of the 75 sampled domains could not be scored for security because their apex permanently redirects to a different domain — typical of school mergers and rebrands — and they are disclosed above rather than hidden. Exclusion is always decided on objective criteria before any score is read. Every measurement uses the public surface only: DNS lookups, a normal page fetch, and public scanning endpoints.
Methodology
Every cohort baseline is produced by the same methodology: quarterly cadence, a deterministic seeded sample drawn from a validated pool, and scan failures excluded before scoring — never on score. Read the full methodology on the research overview.
Previous editions
This baseline refreshes quarterly, and this page always carries the latest edition. As editions are superseded, their headline tables will be archived here so that any older citation can be checked against the edition it was drawn from.