We already knew security for her private e-mail was a national security disaster in the making. We just didn’t know how big of a disaster.

Hanlon’s razor says we should never attribute to malice what can adequately be explained by stupidity, but how stupid do you have to be to make your cabinet-level e-mail correspondence this easily manipulated by foreign spies? Is there some obvious reason we’re missing why she might have wanted meager security?

According to publicly available information, whoever administrated the system didn’t enable what’s called a Sender Policy Framework, or SPF, a simple setting that would prevent hackers sending e-mails that appear to be from clintonemail.com. SPF is a basic and highly recommended security precaution for people who set up their own servers…

“If a Sender Policy Framework was not in use, they could send an e-mail that looks like it comes from her to, say, the ambassador of France that says, ‘leave the back door open to the residence a package is coming,'” added Gourley. “Or a malicious person could send an e-mail to a foreign dignitary meant to cause an international incident or confuse U.S. foreign policy.”

Spoofing a senior official’s e-mail identity is also an easy way to conduct “spear phishing” attacks, where an attacker sends a personally crafted e-mail that appears to come from a trusted source. Once the target opens it, his own system can be compromised. Clinton said she e-mailed with dozens of State Department and White House officials using her server, including President Barack Obama.

Coincidentally, the entire unclassified State Department e-mail system was down just days ago in order to rid it of malware that had somehow been inserted into it, probably by Russian hackers. There’s no evidence that Hillary’s e-mail was their gateway, though, stress Josh Rogin and Eli Lake. With good reason: As it turns out, the official State Department system … also doesn’t have SPF enabled.

Hot Air’s resident tech wizard, Mark Jaquith, explained to me that SPF is a DNS entry that says, essentially, “here are the IP addresses that can send mail for this domain.” If you send a message to a friend with SPF enabled, your friend’s server will check to make sure the IP address on your message matches one of the addresses owned by your host (e.g., Gmail). Without it enabled, it can’t perform that check, which means in theory that someone in Moscow could have e-mailed Huma Abedin under a “spoof” e-mail address matching Hillary’s and Abedin’s e-mail server would have had no way of knowing that that e-mail didn’t actually originate from clintonemail.com. I asked Jaquith if there’s a reason why anyone — not a lofty cabinet official but any ol’ private e-mail user — might want to disable SPF. Would it make e-mail run faster? Make it accessible via more platforms? There has to be some sound reason to skip a basic step like that. “Laziness or ignorance,” he said.

But wait, it gets worse. Here’s another security hole via Boing Boing that’s emerged just within the last 24 hours:

It’s been years since the spam wars were at the front of the debate, but all the salient points from then remain salient today: when you let unaccountable third parties see your mail and decide which messages you can see, the potential for mischief is unlimited.

Hilary Clinton used Mxlogic — now a division of Intel — to filter her clintonemail.com mail. The service would have received all of her email before it was forwarded on to her. Sensitive and confidential matters of state were exposed to untrustworthy insiders and spies/crooks who penetrated their network.

So not only might foreign intelligence have been e-mailing with Hillary’s inner circle posing as Hillary herself, unbeknownst to her, but employees at Intel could have been reading actual e-mail exchanges between the real Hillary and, oh, say, Barack Obama. All because it was more important to her to keep her correspondence away from American voters than from enemy spies and random tech company employees.

Note, incidentally, that SPF is a different type of security than the nightmarish stuff that Gawker wrote about a few weeks ago. The former has to do with making sure messages are coming from the e-mail account they’re supposedly coming from. The flaws that Gawker explored, like using self-signed security certificates instead of ones from trusted third-parties and allowing public login pages that would let anyone on the Internet try to try to access clintonemail.com, are flaws in the security of the server itself and are much more dangerous in that they would have allowed entry potentially into Hillary’s e-mail account. When Rogin and Lake asked Hillary’s spokesman about the server’s security, he assured them that everything was shipshape and that third-party experts had been hired to protect the server, although of course he refused to say who they are because chumps like you who paid her salary for four years don’t get to know things like that. We need the names, though, for the simple reason that it beggars belief to think any true security pro wouldn’t use simple precautions to prevent all of these problems. Between the SPF problem, the server security flaws, and the decision to allow commercial spam filtering, Jaquith says not a single thing was done right here. So let’s find out who Hillary, the Smartest Woman in the World, who surely would have done due diligence in hiring a cybersecurity expert to protect state secrets, decided to trust on all this. All that’s left now is finding out that her password was “password”.

Exit question via Andy McCarthy: If the director of the CIA was required to sign a formal separation agreement saying he’d turned over all classified material, why wasn’t Hillary Clinton?