We assessed the public surface of szpa.ae from the outside, the way an attacker, a parent, or a search engine sees it. No accounts, no internal access, no intrusive testing. The headline is encouraging: the email foundation is stronger than most schools in the region. The work to do is in the parts that are still invisible or unmonitored.
Since our first review
progress
Our earlier complimentary advisory flagged that szpa.ae had no email authentication and could be freely impersonated. That has been addressed. szpa.ae now publishes a strict, locked configuration and can no longer be spoofed. The recommendation landed.
Authentication has also been added to the school's actual mail domains. On the main one, though, the DMARC record was implemented with a single-character error that voids it, so that protection is not yet doing its job. The detail is in the email section.
This assessment also widens the lens beyond email, to web security headers, hosting and data residency, and how visible an Outstanding school is to search and AI. Those areas are new to this review.
A−
Email anti-spoofing (DMARC reject, strict)
0 / 6
Web security headers present
0
Structured-data blocks for AI search
EU
Hosting region (France, not UAE)
EN only
Homepage language signals for SEO
What is working
strengths
Strong
Email cannot be easily spoofed
szpa.ae publishes DMARC p=reject with strict alignment and a matching subdomain policy, alongside SPF -all and no mail servers on the domain. In plain terms: a fraudster trying to send a fake "SZPA Finance" email from szpa.ae will be rejected by Gmail, Outlook and the major providers. This is a top-tier posture and ahead of most UAE schools.
Good
Sound web hygiene basics
HTTPS is enforced (HTTP redirects to HTTPS), the TLS certificate is valid, a sitemap and robots file are in place, and Google Analytics 4 is connected. The fundamentals a search engine needs to crawl the site are present.
Where the risk is
priorities
| Priority | Finding | Why it matters |
|---|
| High | No web security headers | The site can be framed for clickjacking, served over an insecure downgrade, and offers no browser-side protection. A quick, low-risk fix. |
| High | Main mail domain unprotected by a typo | The DMARC record on zayedacademy.ae reads p-quarantine instead of p=quarantine, which voids it. The domain that carries the school's mail enforces no DMARC policy at all, despite appearing configured. |
| High | Invisible to AI and bilingual search | No structured data and an English-only homepage mean an Outstanding school is under-represented in Google rich results and absent from AI answers, for a 98% Emirati audience. |
| Medium | Hosting outside the UAE | The site is hosted in France. A note for data residency if any parent or pupil data is captured on the domain. |
| Medium | Information disclosure & weak URLs | Server and framework versions are advertised, and page URLs are non-semantic, which weakens both security and search. |
This is an external, passive review of the public website and its DNS. It does not cover the school's Microsoft 365 or Google Workspace tenant, its internal network, or any application behind a login. Those require granted access and are recommended as a separate, deeper review.
Email is where the school's reputation lives. A spoofed "school" email asking a parent for a payment is the single most common attack on an institution. Here, SZPA is well defended, with one important blind spot.
What the domain publishes today
verified 09 Jun 2026
| Record | Live value on szpa.ae | Verdict |
|---|
| DMARC | v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; | Strong |
| SPF | v=spf1 -all | Locked |
| MX (mail servers) | None published | Web-only domain |
| DMARC reporting | No rua / ruf address | Blind |
Strong
Spoofing is actively rejected
With p=reject and strict alignment, mail that fails authentication for szpa.ae is rejected outright rather than quarantined. Combined with SPF -all and no mail servers on the domain, this declares szpa.ae a domain that sends no email, so any message claiming to come from it is fraudulent and will be dropped. This closes the exact attack described in our earlier complimentary advisory, which is now resolved.
High
Enforcement without visibility
The DMARC record has no rua (aggregate) or ruf (forensic) reporting address. SZPA is enforcing a strict policy but cannot see who is attempting to send as the domain, or whether any legitimate mail is being blocked. You have locked the door but removed the camera.
Fix Add a reporting address, for example rua=mailto:dmarc-reports@szpa.ae, and review the first weeks of reports. Thirty minutes of work, immediate visibility. The Fourths can host and interpret the reports as a managed service.
High
The domains that carry the school's mail tell a different story
The school's published contact addresses run on zayedacademy.ae and zayedacademyboys.ae, both on Microsoft 365, not on szpa.ae. These are the domains where impersonation risk actually sits, and where authentication has to be right. SPF and DKIM are correctly configured on both. DMARC is where the implementation falls short.
Critical On zayedacademy.ae, the main academy domain, the published DMARC record reads p-quarantine where it must read p=quarantine. That single character makes the record invalid, so no DMARC policy is enforced at all on the school's primary domain, and its reporting address is not a valid mailbox either. The boys' domain, zayedacademyboys.ae, is configured correctly with p=quarantine. The two are inconsistent.
A DMARC record that looks present but does not parse is the most costly kind of gap: it reads as "done" on a checklist while leaving the domain exposed. It is the difference between a record existing and a record working, and it is the kind of silent error that a verification pass, or a managed service, exists to catch. The exact records and corrected values are available on request.
Medium
Inbound mail routing is worth a second look
Both mail domains list a non-Microsoft server as the priority-zero inbound route, ahead of Microsoft 365. This may be deliberate, but it can route mail around Microsoft's own protections, so it is worth confirming against the school's intended setup.
The website itself is a modern build, but it ships without the standard browser-side protections that institutional sites are expected to carry, and it is hosted outside the UAE.
Security headers
0 of 6 present
HTTP response headers tell the browser how to protect the visitor. szpa.ae currently sends none of the six standard protective headers.
| Header | Status | What its absence allows |
|---|
| Strict-Transport-Security | Missing | Leaves a window for an HTTPS downgrade / interception attack. |
| Content-Security-Policy | Missing | No defence against injected or malicious scripts (XSS). |
| X-Frame-Options | Missing | The site can be embedded in a hostile frame for clickjacking. |
| X-Content-Type-Options | Missing | Browsers may MIME-sniff and mis-execute content. |
| Referrer-Policy | Missing | Visitor navigation data leaks to third parties. |
| Permissions-Policy | Missing | No restriction on camera, microphone or geolocation access by embedded content. |
High
Add the standard header set
None of these require code changes to the site itself; they are configured once at the web server or CDN layer. This is among the highest-value, lowest-risk fixes available and is the kind of detail an ADEK-aware institution should not be missing.
Hosting & disclosure
verified 09 Jun 2026
Medium
Hosted in France, not the UAE
The site resolves to an OVH IP address (137.74.117.119) in France. For a brochure site this is workable, but for a UAE royal-associated institution it is worth a deliberate decision: any form that captures parent or pupil data on this domain would place that data outside the UAE, which is a UAE PDPL consideration. UAE-region hosting (for example Azure UAE North) removes the question entirely.
Medium
Server and framework versions advertised
Responses disclose Server: nginx/1.29.8 and X-Powered-By: Next.js. This hands an attacker a free map of what to target. Suppressing these tokens is a one-line configuration change.
Good
Transport security is sound
HTTPS is enforced with a valid Let's Encrypt certificate (renewed May 2026), and HTTP requests are permanently redirected to HTTPS. Adding HSTS would complete this.
This is where the gap between SZPA's standing and its digital footprint is widest. An Outstanding-rated school, with a 98% Emirati community, is barely visible to the search and AI tools parents now use to choose a school, and almost entirely absent in Arabic.
0
JSON-LD structured-data blocks
0
hreflang language signals
Live
GA4 analytics (G-3B07MRBC33)
Findings
SEO / AEO
High
No structured data, so invisible to AI answers
The homepage carries zero structured-data blocks. There is no EducationalOrganization schema describing the school, its rating, location or admissions. When a parent asks Google, ChatGPT or a voice assistant "best private school in Abu Dhabi", SZPA has given those systems nothing structured to quote. Competitors who add this will be the ones cited.
Fix Add EducationalOrganization, LocalBusiness and FAQ schema, in English and Arabic. This is the single highest-leverage discoverability change available.
High
English-only signals for an Arabic-first audience
The homepage declares lang="en" and emits no hreflang tags. An Arabic surface exists at /ar, but with no language signals connecting the two, search engines cannot serve the right version to Arabic-searching parents, and the Arabic content earns no independent ranking. For a 98% Emirati community this is the most consequential SEO gap.
Fix Implement reciprocal hreflang between the English and Arabic versions, and reflect both in the sitemap.
Medium
Non-semantic URLs and weak social previews
Sitemap URLs include /section_details and /copyright_2026, and intuitive paths such as /news, /events and /admissions return 404 rather than redirecting. The homepage also carries only a single Open Graph tag, so links shared on WhatsApp, the channel Emirati parents actually use, render without a rich preview.
Fix Move to descriptive URLs with redirects from common paths, and add a full Open Graph and Twitter card set with the school crest.
Good
Crawl foundations are in place
A valid title and meta description, a robots file that allows indexing and references the sitemap, and 37 sitemap URLs mean the basic crawl path is healthy. The work is in enrichment, not repair.
A school website is a trust signal. When a parent hits a broken page during an admissions decision, the school pays for it in confidence, not just in analytics.
Observations
site stability
Medium
Broken pages observed
During crawling, a number of pages returned 502 Bad Gateway and "Not Found" responses, and several common navigation paths 404 today. Some 502s may have been transient, but the pattern points to no uptime or error monitoring in place. Nobody is being told when the site breaks.
Fix Add uptime monitoring and a real-time error alert. The Fourths runs this as a standing service, with a plain-language daily summary in English and Arabic.
Medium
No custom 404 recovery
Missing pages return a bare "Not Found" rather than guiding the visitor back into the site. For an admissions funnel, every dead end is a lost enquiry.
Most of what matters here is fast and low-risk. We would sequence it so the quick protective wins land first, then the discoverability work that turns an Outstanding reputation into measurable enrolment interest.
A phased path
indicative
01
Quick wins, within days
Add the six security headers and HSTS. Suppress server and framework version disclosure. Add a DMARC reporting address and begin collecting reports. Identify and check the live mail domain. None of this touches the site's content.
02
Discoverability, weeks 1–4
Add EducationalOrganization, LocalBusiness and FAQ structured data in both languages. Implement reciprocal hreflang. Repair URLs and add redirects. Complete the Open Graph set so shared links render properly on WhatsApp.
03
Monitoring & residency, ongoing
Stand up uptime and error monitoring with bilingual daily summaries. Plan a move to UAE-region hosting for any surface that captures parent or pupil data, to settle the PDPL question for good.
04
Deeper review, on access
The largest risks for any school sit behind a login, in the Microsoft 365 or Google Workspace tenant: administrator accounts, multi-factor authentication, OAuth consents and data handling. We recommend a separate internal review once access is granted, in the form we run for our managed clients.
Indicative sequencing only, shared to show the shape of the work. It is not a quote or a commitment. Scope, timing and pricing would follow a conversation and, where regulatory points are involved, SZPA's own legal and compliance review.
Everything in this report is verifiable. We list what we checked, how, and when, so any claim can be reproduced.
Scope & method
passive, external
- Passive and external only. We queried public DNS and made standard web requests to the public site. No accounts, no logins, no intrusive scanning, no attempt to access non-public systems.
- What we did not assess. The Microsoft 365 / Google Workspace tenant, internal networks, application logic behind authentication, and the separate mail domain. These need granted access and are recommended as a follow-on review.
- Assessment date. 9 June 2026. DNS and the public web change over time; findings are a point-in-time snapshot.
Sources & verification
reproducible
| Claim | How verified |
|---|
DMARC p=reject, strict alignment, sp=reject | DNS TXT lookup of _dmarc.szpa.ae |
SPF v=spf1 -all, no MX records | DNS TXT and MX lookup of szpa.ae |
| No DMARC reporting address | Absence of rua / ruf in the DMARC record |
| All six security headers missing | HTTP response header inspection of https://szpa.ae |
| Hosting in France (OVH) | DNS A record 137.74.117.119, network ownership |
| Server / framework disclosure | Server and X-Powered-By response headers |
| Valid TLS, HTTPS enforced | Certificate inspection and redirect check (308 to HTTPS) |
| 0 structured-data blocks, 0 hreflang, English homepage | Source inspection of the homepage HTML |
| GA4 connected (G-3B07MRBC33) | Tag present in homepage source |
| Sitemap (37 URLs), robots present, non-semantic URLs | Fetched /robots.txt and /sitemap.xml; live status checks |
| Broken pages (502 / Not Found) | Site crawl plus live status checks on common paths |