Re: Top Secret- NOFORN
Classified through compilation or discovery of classified information/material that has not been properly marked means... well... it's classified. You cannot be the Secretary of State and not expect to receive classified information intentionally and sometimes accidentally (i.e, a "spill"). Therefore, your email server had better be official, with proper protections, security controls, security plans, spill procedures, etc. Zero excuse.
That highlights some of the political, legal and IT issues around this saga. One oddity is that the 30k emails handed over by the Clinton team from her time as Sec State didn't include any 'classified' emails, ie ones that had been protectively marked. That would seem unusual for emails to/from a cabinet level post where you'd reasonably expect them to be handling sensitive content.
Politically, that opens up attacks that classified emails were deleted/intentionally witheld to avoid issues around mishandling classified content. And given the server was later wiped, it also makes it harder for Clinton to defend against those accusations.
The lack of protective marking also indicates a training problem, or perhaps complacency in State or other federal staff mailing Clinton, ie not classifying content correctly. Reports mention using a (c) convention to indicate a paragraph or part of an email should be classified. The report also mentions that certain information is 'born classified'.. But if it's not marked, relies on the recipients to know that and treat it appropriately.
Then there's the IT stuff. One aspect is also compliance with federal records retention. If Clinton had asked IT to set up a server, they could have set up an appropriately secured one. Then it'd be simple to use say 'HRClinton@state.gov', auto-forward to her server and archive as appropriate. Complication would be on the user end, ie having a reply-from state.gov for official correspondence or a different reply-from for private.. But that's the usual IT challenge when users mix official and personal correspondence.
Having a 'VIP' insist on special handling is also an IT challenge, but seems to have been an issue in this case, ie staff being told not to question the email arrangements, or just using the private email address. It's again odd that official correspondence would be sent to that address rather than an official state.gov one. Reports say she only used the personal email, but it's conceivable an official state.gov address existed & staff monitored that one.
But by not following good infosec procedures, Clinton ended up opening herself to the political attacks we've seen.