In the last ten days, the digital front door of Virginia has been kicked wide open—twice.

On April 15, Arlington County issued an urgent alert: scammers were successfully impersonating the County Treasurer to divert vendor payments. Today, April 23, news broke that Virginia Health Services is reeling from a massive ransomware attack and data exfiltration by the "Worldleaks" group.

Our leaders are telling us to "be vigilant" and "look closely at the sender address."

That is the wrong advice.

Vigilance is a human fix for a technical failure. We don't ask citizens to "be vigilant" about whether a bridge will collapse; we expect the engineers to bolt it down correctly. My recent audit of 135 Virginia jurisdictions proves that when it comes to the digital "bolts" of email security, nearly a third of our state is hanging by a thread.

The Audit: 135 Jurisdictions, One Failing Standard

Using an Email Identity Maturity Score, I analyzed the public DNS configurations of every county and city in the Commonwealth. These are the same signals used by Gmail, Outlook, and every major corporate filter to decide if an email is a legitimate government communication or a phishing attempt.

The State of the State:

  • Average Score: 78.7 / 100
  • The DMARC Failure: 28% of localities have zero active policy to block spoofers.
  • The DKIM Failure: 30% of localities lack the cryptographic "ID badge" required to verify their mail.

The Arlington Callout: A Preventable Scam

Arlington County currently scores a 72/100 in our audit. While they have modern tools in place, their DMARC policy is set to p=none.

In plain English: Arlington has a high-tech alarm system, but they have explicitly told the gatekeeper: "If you see someone wearing a mask and pretending to be the Treasurer, just write a note about it and let them in anyway."

If Arlington had simply moved from Monitoring (72) to Enforcement (100), the "Vendor Payment" scam that triggered last week's public warning would have been blocked automatically by the recipients' email servers.

The "Race to the Bottom" in Procurement

Why is our security so wildly inconsistent across the Commonwealth? Why does Greensville County (population 11,000) achieve a perfect 100/100 on email security, while a massive hub like Virginia Beach languishes at 35/100?

Large jurisdictions often point to their size as an excuse. They claim they have too many legacy systems, disjointed departments, and third-party vendors to lock down their email infrastructure quickly.

But this is a failure of leadership, not a technical impossibility.

The reality is that any organization—no matter how large or complex—can simply move their DMARC policy to p=quarantine. Doing so immediately protects citizens from obvious spoofing while providing IT teams with daily forensic reports showing exactly which internal systems are failing. In a month or two of monitoring those reports, a competent IT department can easily identify and fix every rogue mail server and shadow vendor. Greensville didn't achieve a perfect score because they are small; they achieved it because they simply chose to do the work that others are ignoring.

The 30-Minute Fix

Here is the sincere reality: The lock is free.

The technical configurations required to move a locality from a 70 to a 100 don't require a single extra tax dollar for software or hardware. It takes approximately 30 minutes of work by an IT professional who actually knows how to implement it.

We don't need more "vigilance" from citizens. We need the IT that actually implements the fix.

Is your organization leaving the door open to scammers? Contact us today to secure your digital identity.

Related Resources