> the DMARC offenders are primarily at the state, county, and local level.

This has been my experience as well. Likely due to their systems being managed by lowest-bidder MSPs.

Someone once shared their own analysis of each state's configuration a few years ago:

https://old.reddit.com/r/sysadmin/comments/cawch1/united_sta...

I wonder how it looks today.