Doesn’t seem like the ISP did anything wrong (it was a godaddy setup). On the other hand, it’s hard to believe that State Department IT security won’t get busted for this, they had to be complicit.
godaddy is not an ISP. Godaddy got her domain name etc. Her ISP has to know she is going to be receiving email at clintonmail.com. this requires the ISP to allow TCP port 25 traffic thru their firewall.