Virginia's Digital Front Door Was Kicked In. Here's Why.

Vigilance is a human workaround for a technical failure.
We don’t ask residents to “be vigilant” about whether a bridge might collapse; we expect engineers to bolt it together correctly. Yet my audit of 135 Virginia jurisdictions shows that when it comes to the digital bolts of email authentication, nearly a third of the Commonwealth is operating with loose screws.

The Audit: 135 Jurisdictions, One Standard—Mostly Missed

Using an Email Identity Maturity Score, I analyzed the DNS records of every county and city in Virginia. These are the same signals Gmail, Outlook, and every major provider use to decide whether an email is legitimate or a spoof.

What I found:

• Average Score: 79.1 / 100
• DMARC Gap: 28% of localities have no active policy to block spoofed email
• DKIM Gap: 30% lack the cryptographic signature that proves their email is real

These aren’t obscure technicalities. They are the foundation of modern email trust.

Arlington County: A Preventable Failure

Arlington currently holds a 72/100 identity score. On paper, they have the tools; in practice, they’ve left the safety off.

Last week’s vendor-payment scam was technically "human error"—the scammers used a random Gmail address. But that error was only possible because Arlington hasn't claimed its own digital space. While a DMARC policy won't block a Gmail account, it is the mandatory foundation for BIMI (Brand Indicators for Message Identification).

BIMI is the "Blue Checkmark" of the email world. It puts the official County seal directly next to every legitimate email in a resident's inbox. Without it, residents are forced to play a high-stakes guessing game: Is this real, or is this a mask?

The irony of the "failure" is the math behind it. Implementing BIMI is a low-lift technical standard. In fact, it likely costs less to implement than the collective taxpayer dollars spent on the decision-making process, legal review, and PR approval chain required to blast out last week’s emergency public warning.

By staying in "Monitoring Mode" (p=none), Arlington has chosen a cycle of expensive reaction over a one-time investment in verification. If the County doesn’t value its own identity enough to verify it, we shouldn't be surprised when residents can't tell the difference between a public servant and a scammer with a burner account.

Virginia Beach: A House Divided

Virginia Beach is managing a split identity, and failing both. Their official virginiabeach.gov domain—the ultimate symbol of trust—languishes at a 35/100 with no digital borders. Meanwhile, their operational domain (vbgov.com) scores an 82/100 but suffers from the "Arlington Malady": a DMARC policy left at p=none.

The Trust Gap

It isn't unusual for a city to manage multiple domains, but trust is binary—it’s either enforced or it isn't. It doesn’t matter if the City doesn’t use the .gov for active mail; the "virginiabeach" name is on the lease. If the City doesn't claim that authority, bad actors will.

The Open Door Policy

By leaving the .gov door wide open and the .com door merely "monitored," Virginia Beach has built two entry points for scammers and locked neither. Until the City synchronizes its security and moves to Enforcement, it remains a silent accomplice to the very "human error" it warns its citizens to avoid.

Domain security isn't about what you send; it's about what you prevent others from sending in your name.

Procurement and the “Race to the Bottom”

Why does security vary so wildly across Virginia? Why does Greensville County (population 11,000) score a perfect 100/100, while a major hub like Virginia Beach sits at 35/100?

Large jurisdictions often blame complexity—legacy systems, sprawling departments, too many vendors.

But this isn’t a technical barrier. It’s a leadership decision.

Any organization, no matter how large, can move its DMARC policy to p=quarantine. That single change immediately blocks obvious spoofing and generates daily reports showing exactly which systems need attention. Within a month or two, a capable IT team can identify and fix every misconfigured server and shadow vendor.

Greensville didn’t score 100 because they’re small. They scored 100 because they acted.

The 30‑Minute Fix

Here’s the part no one wants to say out loud: the lock is free.

Moving a locality from a 70 to a 100 requires no new software, no new hardware, and no new tax dollars. It takes about 30 minutes from an IT professional who knows how to configure modern email authentication.

We don’t need more “vigilance” from citizens. We need the people responsible for the infrastructure to turn the key.