Which industry & country has the worst email security

Every day, cybercriminals send around 3.4 billion phishing emails. 90 percent of successful cyber attacks originate from one of these emails.

We analyzed the live DNS records for 5,849 domains across 13 sectors, scoring each domain on eight points based on its Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting, and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Mail Transfer Agent Strict Transport Security (MTA-STS).

96 percent of IT security and decision makers expect to see email security challenges throughout 2026, so you’d be forgiven for thinking that most organizations would be meeting the basics. However, our findings found that more than eight percent of organizations’ domains are fully unprotected, meaning they have no SPF, DMARC, DKIM, or MTA-STS measures in place. A mere 0.6 percent scored full marks for having all of the protections in place and at the highest level.

Which industries have the worst email security?

Government agencies and healthcare providers*.

Government agencies had the lowest average score by far (2.73) and had the highest number of unprotected domains with nearly 27 percent in total. Healthcare providers had the second-lowest average score (3.43) and the second-highest rate of unprotected domains (more than 19%).

In contrast, technology companies had the highest average score (4.83) and the lowest rate of domains with zero protection (2%).

What about the worst countries**?

Asian countries/territories had the lowest average scores, with China (2.3), South Korea (2.84), Hong Kong (3.07), and Japan (3.53) ranking among the lowest. The European countries of France (3.77), Germany (3.8), and Spain (3.98) also scored poorly.

Among the highest-scoring countries were the Netherlands (5.51), Denmark (5.33), Norway (5.31), and Finland (5.19).

China (28%), Hong Kong (26%), and France (16%) had the highest percentage of domains with zero protection. Seven countries, including the United Arab Emirates and Poland, had zero domains with no protection. Switzerland also had just less than 2 percent.

*We looked at healthcare providers (those providing direct care to patients) and healthcare businesses (e.g. pharmaceutical or medical device manufacturers) separately.

**Countries without large datasets, those with less than 10 scanned domains, haven’t been included in the country-by-country analysis.

All of the companies mentioned in the article have been contacted for comment (except those with full 8/8 scores). Any responses received will be added to the end of the article.

Key findings:

  • 487 of the total domains scanned (5,849) had zero protection (8.3%)
  • Just 33 of the total domains had full protection (0.6%)
  • Average score across all domains – 4.2
  • Government domains had the lowest average score – 2.73
  • Tech company domains had the highest average score – 4.83
  • Government domains had the highest percentage of domains with zero protection – 27%
  • Tech company domains had the lowest percentage of domains with zero protection – 2%
  • China had the lowest average score – 2.3
  • The Netherlands had the highest average score – 5.51
  • China had the highest percentage of domains with zero protection – 28%
  • 90 percent of all domains had SPF protocols in place
  • 81 percent of all domains had DMARC protocols in place
  • 55 percent of all domains had DKIM protocols in place
  • Just over 3 percent of all domains had MTA-STS protocols in place

Scoring

For scores used in the context of this article, each domain was given a score out of 8, with 8 being fully protected and 0 indicating no protection:

  • SPF presence – checks whether incoming emails are from authorized domains (1 point)
  • SPF hard fail (“-all”) – explicitly rejects/discards any emails that don’t come from the authorized list of domains (1 point)
  • SPF soft fail “~all”) – sends an email to spam rather than rejecting it completely (0.5 points)
  • DMARC presence – a DMARC record has been created within the domain’s DNS settings, enabling email receivers to check the authenticity of the received emails (1 point)
  • DMARC enforcement – the policy contains p=quarantine (0.5 points) or p=reject (1 point) for messages that don’t pass authentication checks. Any with p=none do not get an additional point, as these will go straight through
  • DMARC reporting destination – feedback reporting has been enabled and the recipient of these reports has been specified (1 point)
  • DKIM presence – uses a digital signature to notify the recipient that the message is coming from an address that’s been authorized by the domain
  • MTA-STS publication – tells email senders that an organization’s domain is using encrypted Transport Layer Security (TLS) connections (1 point)
  • MTA-STS enforce mode – if a secure connection cannot be established, the email will be rejected and it will not be delivered in its unencrypted state (1 point). Those in “testing” mode score 0.5 points, those highlighted as “broken” or “none” scored 0

Government: the sector with the worst email security

Average score: 2.73.

Rank: 13/13

121 out of the 452 domains we scanned had zero protections in place (27%)–the highest of all sectors.

SPF%DMARC%DKIM%MTA-STS%
Has71.7Has53.3Has26.5Has1.8
Hard fail40.9Rejects13.9Enforcing1.1
Soft fail25.4Quarantines12.4Testing0.4
Reporting44.2

No government domains scored full marks, but three did score 7.5 – Australia’s national science agency (CSIRO), the Mila – Quebec Artificial Intelligence Institute in Canada, and The Alan Turing Institute in the UK (also dedicated to data science and artificial intelligence).

Each dropped half a point for a different reason: CSIRO has its MTA-STS in the testing phase, Mila has soft-fail SPF, and Turing quarantines emails that don’t pass DMARC checks, rather than rejecting them.

Government domain scores by country

Where more than 10 domains were scanned within the country, the UK (4.6) and the US were the top scorers (3.9). The UK also had the lowest percent of domains with zero protection (6%), but 17 percent of domains were unprotected in the US.

China (0.9) and France (1.4) had the lowest average scores. Both of these countries also had the highest number of fully unprotected domains with 65 and 47 percent, respectively.

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
United Kingdom4.6166
United States3.94617
Spain3.55311
South Korea2.91118
Germany2.9798
Italy2.41513
France1.45147
China0.99465

Technology: the sector with the best email security

Average score: 4.83.

Rank: 1/13

10 out of the 498 domains we scanned had zero protections in place (2%)–the lowest of all sectors.

SPF%DMARC%DKIM%MTA-STS%
Has97.6Has91.6Has68.9Has4.4
Hard fail51.6Rejects46.6Enforcing1.8
Soft fail40.8Quarantines30.5Testing2.0
Reporting84.3

Two tech companies’ domains scored full marks – microsoft.com and f5.com. A further 10 scored 7.5 – six of these were in the US and the others in Spain, Switzerland, Sweden, and the Netherlands.

Of the 10 without any protections, four were in China, and the others were in Hong Kong, Germany, Taiwan, South Korea, the Netherlands, and India.

Technology domain scores by country

The countries with the highest average scores were Israel (5.5) and the US (5.3). Both countries had no domains without any protections, as did Japan and Canada.

China and South Korea had the lowest average scores with 3.3 each.

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
Israel5.5110
United States5.32560
Canada4.9110
Japan4.6350
Germany4.4119
Taiwan4.3284
China3.3528
South Korea3.31010

Healthcare providers: well below average


Average score: 3.43.

Rank: 12/13

85 out of the 438 domains we scanned had zero protections in place (19%)–the second highest of all sectors.

SPF%DMARC%DKIM%MTA-STS%
Has77.4Has65.5Has41.6Has2.5
Hard fail40.4Rejects30.8Enforcing1.1
Soft fail32.9Quarantines12.8Testing1.1
Reporting60.0

Four domains scored full points. Three of these were part of the UK’s NHS (NHS Blood and Transplant, Manchester University NHS Foundation Trust, and University Hospitals Birmingham NHS Foundation Trust), and one was the Dutch cancer specialist, Prinses Máxima Centrum.

A further three domains (one each in the US, UK, and Netherlands) scored 7.5, each dropping 0.5 for MTA-STS being in the testing phase.

Healthcare providers’ domain scores by country

The Netherlands had the highest average score (6), while China (2.1) and Spain (2.6) had the lowest. The UK also had a low average score (2.9).

China also had the highest percentage of domains without any protections (45%), followed by the UK (37%).

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
Netherlands6.0110
France4.2130
United States3.917412
Italy3.31315
Germany3.2268
Australia3.12124
Canada3.01828
United Kingdom2.94337
Spain2.63129
China2.12045

Among the domains with zero protections were a US healthcare company operating across over 500 locations and an NHS Trust in the UK.

Healthcare businesses: marginally better than their counterparts


Average score: 4.1

Rank: 10/13

50 out of the 462 domains we scanned had zero protections in place (11%).

Healthcare businesses scored slightly better than healthcare providers across all categories, but still had the fourth-lowest average score and the third-worst zero-protection rate.

SPF%DMARC%DKIM%MTA-STS%
Has88.1Has78.1Has58.4Has2.6
Hard fail46.3Rejects35.5Enforcing1.1
Soft fail38.1Quarantines19.0Testing1.1
Reporting71.0

Just one domain scored full points – Revolution Medicines in the US. Five scored 7.5: Amgen in the US, bioMérieux in France, Fagron in Belgium, Fresenius (FSE) in Germany, and Verona Pharma* in the UK. All of them dropped 0.5 points for having MTA-STS in testing, aside from bioMérieux, which had MTA-STS in enforcement mode but DMARC in quarantine mode.

*Verona Pharma is now part of U.S. Merck.

Healthcare businesses’ domain scores by country

The UK had the highest average score (4.9), but was closely followed by Switzerland (4.8) and the US (4.7). China (2.1) had the lowest average score and the highest percentage of domains without any protections (36%).

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
United Kingdom4.9120
Switzerland4.8130
United States4.72063
Ireland4.51010
Japan3.33013
China2.19536

Among those scoring zero were a biopharmaceutical company with a $500M+ turnover in the US and an Irish pharmaceutical manufacturer.

Universities: the p=none paradox


Average score: 4.25

Rank: 8/13

21 out of the 498 domains we scanned had zero protections in place (4%).

Despite universities having the fifth-lowest percentage of domains with zero protection and the most domains with MTA-STS protocols, they had the highest number of domains with DMARC p=none. In short, despite nearly 86 percent of the universities we audited having a DMARC record in place, a meaningful share (42%) have stalled in monitoring mode and never flipped to enforcement.

SPF%DMARC%DKIM%MTA-STS%
Has94.8Has85.5Has62.9Has6.2
Hard fail38.8Rejects20.3Enforcing3.4
Soft fail44.6Quarantines23.3Testing2.6
Reporting77.7

Five universities scored full marks. Wageningen University & Research in the Netherlands, the Australian National University, the University of Auckland in New Zealand, and the University of Southampton and the University of Bath in the UK.

Universities’ domain scores by country

The Netherlands had the highest average score (6), followed by Australia (5.4) and the UK (5.2). China (3.1), Germany (3.3), and South Korea (3.4) had the lowest scores.

Japan (10%) and China (8%) had the highest rate of unprotected domains.

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
Netherlands6.0120
Australia5.4180
United Kingdom5.2323
Spain4.9150
United States4.81175
Italy4.5176
Canada4.2170
France3.6140
Japan3.51010
South Korea3.4140
Germany3.3274
China3.11068

Among the domains that scored zero were a Japanese university and a medical university in Germany.

Law firms: mid-table with some judgement required


Average score: 4.51

Rank: 5/13

19 out of the 495 domains we scanned belonging to legal firms had zero protections in place (4%)–the fourth lowest of all sectors.

SPF%DMARC%DKIM%MTA-STS%
Has95.6Has88.9Has55.4Has4.2
Hard fail48.5Rejects40.4Enforcing2.8
Soft fail40.4Quarantines30.5Testing1.4
Reporting79.0

Three domains scored full points – Schjødt in Norway, MinterEllisonRuddWatts in New Zealand, and Linklaters in the US. A further seven scored 7.5 – six of these were in the UK and one in the US. All of the UK domains had soft-fail SPF, while the US domain had MTA-STS in testing mode.

Law firm domain scores by country

The UK had the highest average score (5.5) and China had the lowest (2.1). China also had the highest number without any protections (38%).

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
United Kingdom5.5420
Brazil5.2100
India5.0120
Germany4.9110
Australia4.8140
France4.7100
United States4.51894
Canada4.4180
Italy4.4100
China2.12438

19 domains had no protections.

Insurance companies & financial institutions: joint second place

Average Score: 4.57 (both sectors)

Rank: 2/13
17 out of the 490 domains we scanned for insurance firms and 16 out of the 496 domains we scanned for finance companies had zero protections in place (3% each).

Please note: some of the finance companies may also offer insurance packages, but these are included alongside financing/banking options.

Insurance:

SPF%DMARC%DKIM%MTA-STS%
Has94.3Has89.4Has60.4Has4.5
Hard fail55.9Rejects39.0Enforcing2.4
Soft fail35.5Quarantines26.5Testing1.8
Reporting79.4

Four insurance companies had perfect scores, including Beneva of Canada, WCF Insurance, Pinnacol Assurance, and FFVA Mutual of the US.

Finance:

SPF%DMARC%DKIM%MTA-STS%
Has94.8Has86.1Has44.8Has1.8
Hard fail69.8Rejects55.8Enforcing1.2
Soft fail22.8Quarantines17.1Testing0.6
Reporting82.5

Five finance companies also had perfect scores but, in this case, none of these were in the US. Rather, these were Nykredit in Denmark, Bank Muscat in Oman, Berner Kantonalbank in Switzerland, Commerzbank in Germany, and Belfius in Belgium.

Insurance company domain scores by country

Canada had the highest overall score (5.5), while Japan had the lowest (3.2)

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
Canada5.5170
Denmark5.2130
Netherlands5.1166
Australia4.8230
United Kingdom4.8180
United States4.72043
Spain4.2130
France4.23913
Germany4.1363
Austria3.31020
Japan3.2220

Of the domains with zero protections, most of these were in the US (6) and France (5).

Finance company domain scores by country

Brazil had the highest overall score (5.7), while China had the lowest (2.2).

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
Brazil5.7100
United Arab Emirates5.5110
Philippines5.4110
United Kingdom5.2180
United States5.1690
Italy5.0150
Saudi Arabia4.7100
India4.6195
Germany4.6120
Switzerland4.3140
Japan4.1277
Vietnam4.0130
Taiwan3.3176
China2.25313

Most of the domains without any protections were in China (7).

Non-profit organizations: budgets may be allocated elsewhere


Average score: 3.86

Rank: 11/13

21 out of the 212 domains we scanned had zero protections in place (10%).

SPF%DMARC%DKIM%MTA-STS%
Has89.6Has74.1Has56.6Has3.8
Hard fail50.0Rejects18.4Enforcing1.4
Soft fail36.3Quarantines22.2Testing2.4
Reporting61.3

None of the non-profit domains we analyzed scored 8 out of 8 but two scored 7.5. These were the Center for International Climate Research (CICERO) in Norway and the LSU AgCenter in the US. CICERO has DMARC in quarantine mode, while LSU AgCenter has MTA-STS in testing mode.

Non-profit organizations’ domain scores by country

The US had the highest average score with 4.6, while China had the lowest with 1.6

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
United States4.6457
Spain3.8166
Portugal3.81217
Germany2.8130
China1.61932

Among those domains with zero protections was a non-profit research company headquartered in Portugal.

Manufacturers: need to make progress


Average score: 4.19

Rank: 9/13

39 out of the 460 domains we scanned had zero protections in place (8%).

SPF%DMARC%DKIM%MTA-STS%
Has90.0Has79.1Has54.6Has3.0
Hard fail52.8Rejects33.3Enforcing1.5
Soft fail35.4Quarantines25.0Testing1.1
Reporting73.9

Three manufacturers’ domains scored full points. These were Wärtsilä and Valmet in Finland and the LISI Group in France.

Manufacturers’ domain scores by country

Switzerland comes out on top with an average score of 5.6 and is closely followed by Sweden with 5.4. South Korea features at the bottom with an average score of 2.1, while China has the highest percentage of domains with zero protection (20%).

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
Switzerland5.6170
Sweden5.4100
Canada5.2110
Italy5.1120
France4.9138
United States4.81024
Germany4.4248
India4.0378
Japan3.410312
China3.05420
South Korea2.11118

Included within the domains with zero protection were a global manufacturer with a head office in Japan and an Indian-based manufacturer with a global turnover of over $27 billion USD.

Airlines: fly in mid-table


Average score: 4.29

Rank: 6/13

18 out of the 369 domains belonging to airlines that we scanned had zero protections in place (5%).

SPF%DMARC%DKIM%MTA-STS%
Has93.5Has81.8Has66.7Has1.9
Hard fail54.5Rejects27.1Enforcing0.3
Soft fail37.4Quarantines26.3Testing1.1
Reporting71.0

Just one airline secured the full 8 points – HK Express in Hong Kong. One more (JetSMART in Chile) scored 7.5, dropping half a point for its MTA-STS being in testing mode.

Airlines’ domain scores by country

Spain had the highest average score with 5.2 and China the lowest with 2.4. 21 percent of the domains in China also had zero protections.

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
Spain5.2100
United States5.1340
Canada4.9160
Russia4.2119
South Korea3.6100
China2.42421

Energy sector: just needs a little boost


Average score: 4.52

Rank: 4/13

30 out of the 486 domains belonging to energy companies that we scanned had zero protections in place (6%).

SPF%DMARC%DKIM%MTA-STS%
Has92.4Has85.6Has62.6Has3.1
Hard fail60.5Rejects41.8Enforcing1.2
Soft fail29.0Quarantines25.7Testing1.4
Reporting76.5

Equinor in Norway and OQ Gas Networks (OQGN) in Oman were the only two domains to score 8 points. Four further companies scored 7.5, including two in Canada, one in Finland, and one in the UK.

Energy companies’ domain scores by country

Norway’s energy company domains scored an average of 5.9, closely followed by the UK and Italy with 5.5. China scored 1.8 and had the highest number of domains with zero protections (27%), followed by India (17%)

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
Norway5.9100
United Kingdom5.5150
Italy5.5120
Brazil5.3100
Germany5.0120
Australia5.0140
Spain5.0110
Canada4.7514
United States4.71616
India3.92917
Thailand3.9120
China1.81127

Retail: needs to shop for better email protections


Average score: 4.26

Rank: 7/13

40 out of the 493 domains belonging to retailers that we scanned had zero protections in place (8%).

SPF%DMARC%DKIM%MTA-STS%
Has90.3Has82.4Has55.8Has3.0
Hard fail49.3Rejects39.8Enforcing1.2
Soft fail38.7Quarantines17.2Testing1.2
Reporting75.9

Three retailers scored full points – Fielmann in Germany, ThredUp in the US, and National Vision, also in the US.

Retailers’ domain scores by country

France (5.2) and Germany (5.1) had the highest average scores among retailers, while Japan and China had the lowest with 2.6 each. Japan also has the highest number of domains with zero protection.

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
France5.2210
Germany5.1254
Australia4.9205
Sweden4.8100
United States4.81422
Canada4.5138
Saudi Arabia4.01020
United Kingdom3.84018
India3.8138
China2.6166
Japan2.64226

Domains with zero protections included a Japanese online shoe shop and a UK high-street retailer.

Country-by-country scores

Final thoughts

Our report highlights how each and every industry and country has room for improvement when it comes to email security. This is even the case within sectors and/or countries where email security is regulated to some degree.

For example, Europe’s GDPR doesn’t explicitly state that these protocols should be in place, but it does state that organizations must implement strict standards to help safeguard data. This perhaps explains why the likes of the Netherlands, Denmark, and Norway appear at the top of our rankings. But this doesn’t extend across all EU-regulated countries, with France, Germany, and Spain scoring far lower.

Equally, certain sectors within specific countries face heavier regulation. For example, in the US, the Department of Homeland Security (DHS) mandates that DMARC should be in use on all government agency email domains. And, in the UK, the Government Digital Service (GDS) requires DMARC across governmental domains, and with p=reject (hard fail)

If we look at our findings, 12 government entities in the US and three UK government agencies don’t employ DMARC (some of these are mentioned above).

As spam email campaigns continue to involve and utilize the likes of Google and the New York Times to induce a sense of trust, meeting basic email security standards has never been more crucial. Increased regulation may help spur organizations into action, but companies shouldn’t be waiting around to be told to safeguard their domains, particularly with what many would call standard protocols.

Methodology, limitations & sources

Domain selection

The list of companies (and their subsequent domains) were derived from industry lists of key/top companies within each sector. For example, the ICMF’s list of the world’s largest mutual and cooperative insurers was used for the insurance sector.

Any domains that weren’t available, e.g. those presenting a 404 error, were removed.

A full list of sources is detailed below.

DNS audit

We then resolved live DNS records for each domain. We queried TXT records at the apex for any SPF record, the qualifier on the trailing -all/~all/?all/+all mechanism, and the policy on any DMARC record at _dmarc.<domain>. We additionally tested for an MTA-STS policy files and DKIM records.

Scoring

Each domain was scored on an 8-point scale (SPF presence, SPF strict-fail qualifier, DMARC presence, DMARC enforcement, DMARC reporting destination, DKIM presence, MTA-STS publication, MTA-STS enforce mode).

Limitations

This audit checks the public, observable email-authentication posture of each domain at its apex. It does not assess subdomain posture (many large organizations enforce DMARC on a customer-facing subdomain while running monitor mode on the apex), internal mail-server configuration, anti-phishing tooling deployed by the organization’s mail provider, customer-side filtering, or human-targeted brand-protection programs.

Sources

https://www.icmif.org/wp-content/uploads/2024/05/ICMIF-Global-500-2024.pdf

https://companiesmarketcap.com

https://brandirectory.com/reports/banking

https://www.deloitte.com/content/dam/assets-shared/docs/industries/consumer/2025/deloitte-global-powers-of-retailing-2025.pdf

https://disfold.com/sector/healthcare/companies/

https://www.scimagoir.com/rankings.php

Data researcher: Mantas Sasnauskas