Every day, cybercriminals send around 3.4 billion phishing emails. 90 percent of successful cyber attacks originate from one of these emails.
We analyzed the live DNS records for 5,849 domains across 13 sectors, scoring each domain on eight points based on its Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting, and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Mail Transfer Agent Strict Transport Security (MTA-STS).
96 percent of IT security and decision makers expect to see email security challenges throughout 2026, so you’d be forgiven for thinking that most organizations would be meeting the basics. However, our findings found that more than eight percent of organizations’ domains are fully unprotected, meaning they have no SPF, DMARC, DKIM, or MTA-STS measures in place. A mere 0.6 percent scored full marks for having all of the protections in place and at the highest level.
Which industries have the worst email security?
Government agencies and healthcare providers*.
Government agencies had the lowest average score by far (2.73) and had the highest number of unprotected domains with nearly 27 percent in total. Healthcare providers had the second-lowest average score (3.43) and the second-highest rate of unprotected domains (more than 19%).
In contrast, technology companies had the highest average score (4.83) and the lowest rate of domains with zero protection (2%).
What about the worst countries**?
Asian countries/territories had the lowest average scores, with China (2.3), South Korea (2.84), Hong Kong (3.07), and Japan (3.53) ranking among the lowest. The European countries of France (3.77), Germany (3.8), and Spain (3.98) also scored poorly.
Among the highest-scoring countries were the Netherlands (5.51), Denmark (5.33), Norway (5.31), and Finland (5.19).
China (28%), Hong Kong (26%), and France (16%) had the highest percentage of domains with zero protection. Seven countries, including the United Arab Emirates and Poland, had zero domains with no protection. Switzerland also had just less than 2 percent.
*We looked at healthcare providers (those providing direct care to patients) and healthcare businesses (e.g. pharmaceutical or medical device manufacturers) separately.
**Countries without large datasets, those with less than 10 scanned domains, haven’t been included in the country-by-country analysis.
All of the companies mentioned in the article have been contacted for comment (except those with full 8/8 scores). Any responses received will be added to the end of the article.
Key findings:
- 487 of the total domains scanned (5,849) had zero protection (8.3%)
- Just 33 of the total domains had full protection (0.6%)
- Average score across all domains – 4.2
- Government domains had the lowest average score – 2.73
- Tech company domains had the highest average score – 4.83
- Government domains had the highest percentage of domains with zero protection – 27%
- Tech company domains had the lowest percentage of domains with zero protection – 2%
- China had the lowest average score – 2.3
- The Netherlands had the highest average score – 5.51
- China had the highest percentage of domains with zero protection – 28%
- 90 percent of all domains had SPF protocols in place
- 81 percent of all domains had DMARC protocols in place
- 55 percent of all domains had DKIM protocols in place
- Just over 3 percent of all domains had MTA-STS protocols in place
Scoring
For scores used in the context of this article, each domain was given a score out of 8, with 8 being fully protected and 0 indicating no protection:
- SPF presence – checks whether incoming emails are from authorized domains (1 point)
- SPF hard fail (“-all”) – explicitly rejects/discards any emails that don’t come from the authorized list of domains (1 point)
- SPF soft fail “~all”) – sends an email to spam rather than rejecting it completely (0.5 points)
- DMARC presence – a DMARC record has been created within the domain’s DNS settings, enabling email receivers to check the authenticity of the received emails (1 point)
- DMARC enforcement – the policy contains p=quarantine (0.5 points) or p=reject (1 point) for messages that don’t pass authentication checks. Any with p=none do not get an additional point, as these will go straight through
- DMARC reporting destination – feedback reporting has been enabled and the recipient of these reports has been specified (1 point)
- DKIM presence – uses a digital signature to notify the recipient that the message is coming from an address that’s been authorized by the domain
- MTA-STS publication – tells email senders that an organization’s domain is using encrypted Transport Layer Security (TLS) connections (1 point)
- MTA-STS enforce mode – if a secure connection cannot be established, the email will be rejected and it will not be delivered in its unencrypted state (1 point). Those in “testing” mode score 0.5 points, those highlighted as “broken” or “none” scored 0
Government: the sector with the worst email security
Average score: 2.73.
Rank: 13/13
121 out of the 452 domains we scanned had zero protections in place (27%)–the highest of all sectors.
| SPF | % | DMARC | % | DKIM | % | MTA-STS | % |
|---|---|---|---|---|---|---|---|
| Has | 71.7 | Has | 53.3 | Has | 26.5 | Has | 1.8 |
| Hard fail | 40.9 | Rejects | 13.9 | Enforcing | 1.1 | ||
| Soft fail | 25.4 | Quarantines | 12.4 | Testing | 0.4 | ||
| Reporting | 44.2 |
No government domains scored full marks, but three did score 7.5 – Australia’s national science agency (CSIRO), the Mila – Quebec Artificial Intelligence Institute in Canada, and The Alan Turing Institute in the UK (also dedicated to data science and artificial intelligence).
Each dropped half a point for a different reason: CSIRO has its MTA-STS in the testing phase, Mila has soft-fail SPF, and Turing quarantines emails that don’t pass DMARC checks, rather than rejecting them.
Government domain scores by country
Where more than 10 domains were scanned within the country, the UK (4.6) and the US were the top scorers (3.9). The UK also had the lowest percent of domains with zero protection (6%), but 17 percent of domains were unprotected in the US.
China (0.9) and France (1.4) had the lowest average scores. Both of these countries also had the highest number of fully unprotected domains with 65 and 47 percent, respectively.
Key country highlights:
| Country | Average score | # of entities | Zero protection (%) |
|---|---|---|---|
| United Kingdom | 4.6 | 16 | 6 |
| United States | 3.9 | 46 | 17 |
| Spain | 3.5 | 53 | 11 |
| South Korea | 2.9 | 11 | 18 |
| Germany | 2.9 | 79 | 8 |
| Italy | 2.4 | 15 | 13 |
| France | 1.4 | 51 | 47 |
| China | 0.9 | 94 | 65 |
Technology: the sector with the best email security
Average score: 4.83.
Rank: 1/13
10 out of the 498 domains we scanned had zero protections in place (2%)–the lowest of all sectors.
| SPF | % | DMARC | % | DKIM | % | MTA-STS | % |
|---|---|---|---|---|---|---|---|
| Has | 97.6 | Has | 91.6 | Has | 68.9 | Has | 4.4 |
| Hard fail | 51.6 | Rejects | 46.6 | Enforcing | 1.8 | ||
| Soft fail | 40.8 | Quarantines | 30.5 | Testing | 2.0 | ||
| Reporting | 84.3 | ||||||
Two tech companies’ domains scored full marks – microsoft.com and f5.com. A further 10 scored 7.5 – six of these were in the US and the others in Spain, Switzerland, Sweden, and the Netherlands.
Of the 10 without any protections, four were in China, and the others were in Hong Kong, Germany, Taiwan, South Korea, the Netherlands, and India.
Technology domain scores by country
The countries with the highest average scores were Israel (5.5) and the US (5.3). Both countries had no domains without any protections, as did Japan and Canada.
China and South Korea had the lowest average scores with 3.3 each.
Key country highlights:
| Country | Average score | # of entities | Zero protection (%) |
|---|---|---|---|
| Israel | 5.5 | 11 | 0 |
| United States | 5.3 | 256 | 0 |
| Canada | 4.9 | 11 | 0 |
| Japan | 4.6 | 35 | 0 |
| Germany | 4.4 | 11 | 9 |
| Taiwan | 4.3 | 28 | 4 |
| China | 3.3 | 52 | 8 |
| South Korea | 3.3 | 10 | 10 |
Healthcare providers: well below average
Average score: 3.43.
Rank: 12/13
85 out of the 438 domains we scanned had zero protections in place (19%)–the second highest of all sectors.
| SPF | % | DMARC | % | DKIM | % | MTA-STS | % |
|---|---|---|---|---|---|---|---|
| Has | 77.4 | Has | 65.5 | Has | 41.6 | Has | 2.5 |
| Hard fail | 40.4 | Rejects | 30.8 | Enforcing | 1.1 | ||
| Soft fail | 32.9 | Quarantines | 12.8 | Testing | 1.1 | ||
| Reporting | 60.0 | ||||||
Four domains scored full points. Three of these were part of the UK’s NHS (NHS Blood and Transplant, Manchester University NHS Foundation Trust, and University Hospitals Birmingham NHS Foundation Trust), and one was the Dutch cancer specialist, Prinses Máxima Centrum.
A further three domains (one each in the US, UK, and Netherlands) scored 7.5, each dropping 0.5 for MTA-STS being in the testing phase.
Healthcare providers’ domain scores by country
The Netherlands had the highest average score (6), while China (2.1) and Spain (2.6) had the lowest. The UK also had a low average score (2.9).
China also had the highest percentage of domains without any protections (45%), followed by the UK (37%).
Key country highlights:
| Country | Average score | # of entities | Zero protection (%) |
|---|---|---|---|
| Netherlands | 6.0 | 11 | 0 |
| France | 4.2 | 13 | 0 |
| United States | 3.9 | 174 | 12 |
| Italy | 3.3 | 13 | 15 |
| Germany | 3.2 | 26 | 8 |
| Australia | 3.1 | 21 | 24 |
| Canada | 3.0 | 18 | 28 |
| United Kingdom | 2.9 | 43 | 37 |
| Spain | 2.6 | 31 | 29 |
| China | 2.1 | 20 | 45 |
Among the domains with zero protections were a US healthcare company operating across over 500 locations and an NHS Trust in the UK.
Healthcare businesses: marginally better than their counterparts
Average score: 4.1
Rank: 10/13
50 out of the 462 domains we scanned had zero protections in place (11%).
Healthcare businesses scored slightly better than healthcare providers across all categories, but still had the fourth-lowest average score and the third-worst zero-protection rate.
| SPF | % | DMARC | % | DKIM | % | MTA-STS | % |
|---|---|---|---|---|---|---|---|
| Has | 88.1 | Has | 78.1 | Has | 58.4 | Has | 2.6 |
| Hard fail | 46.3 | Rejects | 35.5 | Enforcing | 1.1 | ||
| Soft fail | 38.1 | Quarantines | 19.0 | Testing | 1.1 | ||
| Reporting | 71.0 |
Just one domain scored full points – Revolution Medicines in the US. Five scored 7.5: Amgen in the US, bioMérieux in France, Fagron in Belgium, Fresenius (FSE) in Germany, and Verona Pharma* in the UK. All of them dropped 0.5 points for having MTA-STS in testing, aside from bioMérieux, which had MTA-STS in enforcement mode but DMARC in quarantine mode.
*Verona Pharma is now part of U.S. Merck.
Healthcare businesses’ domain scores by country
The UK had the highest average score (4.9), but was closely followed by Switzerland (4.8) and the US (4.7). China (2.1) had the lowest average score and the highest percentage of domains without any protections (36%).
Key country highlights:
| Country | Average score | # of entities | Zero protection (%) |
|---|---|---|---|
| United Kingdom | 4.9 | 12 | 0 |
| Switzerland | 4.8 | 13 | 0 |
| United States | 4.7 | 206 | 3 |
| Ireland | 4.5 | 10 | 10 |
| Japan | 3.3 | 30 | 13 |
| China | 2.1 | 95 | 36 |
Among those scoring zero were a biopharmaceutical company with a $500M+ turnover in the US and an Irish pharmaceutical manufacturer.
Universities: the p=none paradox
Average score: 4.25
Rank: 8/13
21 out of the 498 domains we scanned had zero protections in place (4%).
Despite universities having the fifth-lowest percentage of domains with zero protection and the most domains with MTA-STS protocols, they had the highest number of domains with DMARC p=none. In short, despite nearly 86 percent of the universities we audited having a DMARC record in place, a meaningful share (42%) have stalled in monitoring mode and never flipped to enforcement.
| SPF | % | DMARC | % | DKIM | % | MTA-STS | % |
|---|---|---|---|---|---|---|---|
| Has | 94.8 | Has | 85.5 | Has | 62.9 | Has | 6.2 |
| Hard fail | 38.8 | Rejects | 20.3 | Enforcing | 3.4 | ||
| Soft fail | 44.6 | Quarantines | 23.3 | Testing | 2.6 | ||
| Reporting | 77.7 |
Five universities scored full marks. Wageningen University & Research in the Netherlands, the Australian National University, the University of Auckland in New Zealand, and the University of Southampton and the University of Bath in the UK.
Universities’ domain scores by country
The Netherlands had the highest average score (6), followed by Australia (5.4) and the UK (5.2). China (3.1), Germany (3.3), and South Korea (3.4) had the lowest scores.
Japan (10%) and China (8%) had the highest rate of unprotected domains.
Key country highlights:
| Country | Average score | # of entities | Zero protection (%) |
|---|---|---|---|
| Netherlands | 6.0 | 12 | 0 |
| Australia | 5.4 | 18 | 0 |
| United Kingdom | 5.2 | 32 | 3 |
| Spain | 4.9 | 15 | 0 |
| United States | 4.8 | 117 | 5 |
| Italy | 4.5 | 17 | 6 |
| Canada | 4.2 | 17 | 0 |
| France | 3.6 | 14 | 0 |
| Japan | 3.5 | 10 | 10 |
| South Korea | 3.4 | 14 | 0 |
| Germany | 3.3 | 27 | 4 |
| China | 3.1 | 106 | 8 |
Among the domains that scored zero were a Japanese university and a medical university in Germany.
Law firms: mid-table with some judgement required
Average score: 4.51
Rank: 5/13
19 out of the 495 domains we scanned belonging to legal firms had zero protections in place (4%)–the fourth lowest of all sectors.
| SPF | % | DMARC | % | DKIM | % | MTA-STS | % |
|---|---|---|---|---|---|---|---|
| Has | 95.6 | Has | 88.9 | Has | 55.4 | Has | 4.2 |
| Hard fail | 48.5 | Rejects | 40.4 | Enforcing | 2.8 | ||
| Soft fail | 40.4 | Quarantines | 30.5 | Testing | 1.4 | ||
| Reporting | 79.0 | ||||||
Three domains scored full points – Schjødt in Norway, MinterEllisonRuddWatts in New Zealand, and Linklaters in the US. A further seven scored 7.5 – six of these were in the UK and one in the US. All of the UK domains had soft-fail SPF, while the US domain had MTA-STS in testing mode.
Law firm domain scores by country
The UK had the highest average score (5.5) and China had the lowest (2.1). China also had the highest number without any protections (38%).
Key country highlights:
| Country | Average score | # of entities | Zero protection (%) |
|---|---|---|---|
| United Kingdom | 5.5 | 42 | 0 |
| Brazil | 5.2 | 10 | 0 |
| India | 5.0 | 12 | 0 |
| Germany | 4.9 | 11 | 0 |
| Australia | 4.8 | 14 | 0 |
| France | 4.7 | 10 | 0 |
| United States | 4.5 | 189 | 4 |
| Canada | 4.4 | 18 | 0 |
| Italy | 4.4 | 10 | 0 |
| China | 2.1 | 24 | 38 |
19 domains had no protections.
Insurance companies & financial institutions: joint second place
Average Score: 4.57 (both sectors)
Rank: 2/13
17 out of the 490 domains we scanned for insurance firms and 16 out of the 496 domains we scanned for finance companies had zero protections in place (3% each).
Please note: some of the finance companies may also offer insurance packages, but these are included alongside financing/banking options.
Insurance:
| SPF | % | DMARC | % | DKIM | % | MTA-STS | % |
|---|---|---|---|---|---|---|---|
| Has | 94.3 | Has | 89.4 | Has | 60.4 | Has | 4.5 |
| Hard fail | 55.9 | Rejects | 39.0 | Enforcing | 2.4 | ||
| Soft fail | 35.5 | Quarantines | 26.5 | Testing | 1.8 | ||
| Reporting | 79.4 |
Four insurance companies had perfect scores, including Beneva of Canada, WCF Insurance, Pinnacol Assurance, and FFVA Mutual of the US.
Finance:
| SPF | % | DMARC | % | DKIM | % | MTA-STS | % |
|---|---|---|---|---|---|---|---|
| Has | 94.8 | Has | 86.1 | Has | 44.8 | Has | 1.8 |
| Hard fail | 69.8 | Rejects | 55.8 | Enforcing | 1.2 | ||
| Soft fail | 22.8 | Quarantines | 17.1 | Testing | 0.6 | ||
| Reporting | 82.5 |
Five finance companies also had perfect scores but, in this case, none of these were in the US. Rather, these were Nykredit in Denmark, Bank Muscat in Oman, Berner Kantonalbank in Switzerland, Commerzbank in Germany, and Belfius in Belgium.
Insurance company domain scores by country
Canada had the highest overall score (5.5), while Japan had the lowest (3.2)
Key country highlights:
| Country | Average score | # of entities | Zero protection (%) |
|---|---|---|---|
| Canada | 5.5 | 17 | 0 |
| Denmark | 5.2 | 13 | 0 |
| Netherlands | 5.1 | 16 | 6 |
| Australia | 4.8 | 23 | 0 |
| United Kingdom | 4.8 | 18 | 0 |
| United States | 4.7 | 204 | 3 |
| Spain | 4.2 | 13 | 0 |
| France | 4.2 | 39 | 13 |
| Germany | 4.1 | 36 | 3 |
| Austria | 3.3 | 10 | 20 |
| Japan | 3.2 | 22 | 0 |
Of the domains with zero protections, most of these were in the US (6) and France (5).
Finance company domain scores by country
Brazil had the highest overall score (5.7), while China had the lowest (2.2).
Key country highlights:
| Country | Average score | # of entities | Zero protection (%) |
|---|---|---|---|
| Brazil | 5.7 | 10 | 0 |
| United Arab Emirates | 5.5 | 11 | 0 |
| Philippines | 5.4 | 11 | 0 |
| United Kingdom | 5.2 | 18 | 0 |
| United States | 5.1 | 69 | 0 |
| Italy | 5.0 | 15 | 0 |
| Saudi Arabia | 4.7 | 10 | 0 |
| India | 4.6 | 19 | 5 |
| Germany | 4.6 | 12 | 0 |
| Switzerland | 4.3 | 14 | 0 |
| Japan | 4.1 | 27 | 7 |
| Vietnam | 4.0 | 13 | 0 |
| Taiwan | 3.3 | 17 | 6 |
| China | 2.2 | 53 | 13 |
Most of the domains without any protections were in China (7).
Non-profit organizations: budgets may be allocated elsewhere
Average score: 3.86
Rank: 11/13
21 out of the 212 domains we scanned had zero protections in place (10%).
| SPF | % | DMARC | % | DKIM | % | MTA-STS | % |
|---|---|---|---|---|---|---|---|
| Has | 89.6 | Has | 74.1 | Has | 56.6 | Has | 3.8 |
| Hard fail | 50.0 | Rejects | 18.4 | Enforcing | 1.4 | ||
| Soft fail | 36.3 | Quarantines | 22.2 | Testing | 2.4 | ||
| Reporting | 61.3 | ||||||
None of the non-profit domains we analyzed scored 8 out of 8 but two scored 7.5. These were the Center for International Climate Research (CICERO) in Norway and the LSU AgCenter in the US. CICERO has DMARC in quarantine mode, while LSU AgCenter has MTA-STS in testing mode.
Non-profit organizations’ domain scores by country
The US had the highest average score with 4.6, while China had the lowest with 1.6
Key country highlights:
| Country | Average score | # of entities | Zero protection (%) |
|---|---|---|---|
| United States | 4.6 | 45 | 7 |
| Spain | 3.8 | 16 | 6 |
| Portugal | 3.8 | 12 | 17 |
| Germany | 2.8 | 13 | 0 |
| China | 1.6 | 19 | 32 |
Among those domains with zero protections was a non-profit research company headquartered in Portugal.
Manufacturers: need to make progress
Average score: 4.19
Rank: 9/13
39 out of the 460 domains we scanned had zero protections in place (8%).
| SPF | % | DMARC | % | DKIM | % | MTA-STS | % |
|---|---|---|---|---|---|---|---|
| Has | 90.0 | Has | 79.1 | Has | 54.6 | Has | 3.0 |
| Hard fail | 52.8 | Rejects | 33.3 | Enforcing | 1.5 | ||
| Soft fail | 35.4 | Quarantines | 25.0 | Testing | 1.1 | ||
| Reporting | 73.9 |
Three manufacturers’ domains scored full points. These were Wärtsilä and Valmet in Finland and the LISI Group in France.
Manufacturers’ domain scores by country
Switzerland comes out on top with an average score of 5.6 and is closely followed by Sweden with 5.4. South Korea features at the bottom with an average score of 2.1, while China has the highest percentage of domains with zero protection (20%).
Key country highlights:
| Country | Average score | # of entities | Zero protection (%) |
|---|---|---|---|
| Switzerland | 5.6 | 17 | 0 |
| Sweden | 5.4 | 10 | 0 |
| Canada | 5.2 | 11 | 0 |
| Italy | 5.1 | 12 | 0 |
| France | 4.9 | 13 | 8 |
| United States | 4.8 | 102 | 4 |
| Germany | 4.4 | 24 | 8 |
| India | 4.0 | 37 | 8 |
| Japan | 3.4 | 103 | 12 |
| China | 3.0 | 54 | 20 |
| South Korea | 2.1 | 11 | 18 |
Included within the domains with zero protection were a global manufacturer with a head office in Japan and an Indian-based manufacturer with a global turnover of over $27 billion USD.
Airlines: fly in mid-table
Average score: 4.29
Rank: 6/13
18 out of the 369 domains belonging to airlines that we scanned had zero protections in place (5%).
| SPF | % | DMARC | % | DKIM | % | MTA-STS | % |
|---|---|---|---|---|---|---|---|
| Has | 93.5 | Has | 81.8 | Has | 66.7 | Has | 1.9 |
| Hard fail | 54.5 | Rejects | 27.1 | Enforcing | 0.3 | ||
| Soft fail | 37.4 | Quarantines | 26.3 | Testing | 1.1 | ||
| Reporting | 71.0 |
Just one airline secured the full 8 points – HK Express in Hong Kong. One more (JetSMART in Chile) scored 7.5, dropping half a point for its MTA-STS being in testing mode.
Airlines’ domain scores by country
Spain had the highest average score with 5.2 and China the lowest with 2.4. 21 percent of the domains in China also had zero protections.
Key country highlights:
| Country | Average score | # of entities | Zero protection (%) |
|---|---|---|---|
| Spain | 5.2 | 10 | 0 |
| United States | 5.1 | 34 | 0 |
| Canada | 4.9 | 16 | 0 |
| Russia | 4.2 | 11 | 9 |
| South Korea | 3.6 | 10 | 0 |
| China | 2.4 | 24 | 21 |
Energy sector: just needs a little boost
Average score: 4.52
Rank: 4/13
30 out of the 486 domains belonging to energy companies that we scanned had zero protections in place (6%).
| SPF | % | DMARC | % | DKIM | % | MTA-STS | % |
|---|---|---|---|---|---|---|---|
| Has | 92.4 | Has | 85.6 | Has | 62.6 | Has | 3.1 |
| Hard fail | 60.5 | Rejects | 41.8 | Enforcing | 1.2 | ||
| Soft fail | 29.0 | Quarantines | 25.7 | Testing | 1.4 | ||
| Reporting | 76.5 |
Equinor in Norway and OQ Gas Networks (OQGN) in Oman were the only two domains to score 8 points. Four further companies scored 7.5, including two in Canada, one in Finland, and one in the UK.
Energy companies’ domain scores by country
Norway’s energy company domains scored an average of 5.9, closely followed by the UK and Italy with 5.5. China scored 1.8 and had the highest number of domains with zero protections (27%), followed by India (17%)
Key country highlights:
| Country | Average score | # of entities | Zero protection (%) |
|---|---|---|---|
| Norway | 5.9 | 10 | 0 |
| United Kingdom | 5.5 | 15 | 0 |
| Italy | 5.5 | 12 | 0 |
| Brazil | 5.3 | 10 | 0 |
| Germany | 5.0 | 12 | 0 |
| Australia | 5.0 | 14 | 0 |
| Spain | 5.0 | 11 | 0 |
| Canada | 4.7 | 51 | 4 |
| United States | 4.7 | 161 | 6 |
| India | 3.9 | 29 | 17 |
| Thailand | 3.9 | 12 | 0 |
| China | 1.8 | 11 | 27 |
Retail: needs to shop for better email protections
Average score: 4.26
Rank: 7/13
40 out of the 493 domains belonging to retailers that we scanned had zero protections in place (8%).
| SPF | % | DMARC | % | DKIM | % | MTA-STS | % |
|---|---|---|---|---|---|---|---|
| Has | 90.3 | Has | 82.4 | Has | 55.8 | Has | 3.0 |
| Hard fail | 49.3 | Rejects | 39.8 | Enforcing | 1.2 | ||
| Soft fail | 38.7 | Quarantines | 17.2 | Testing | 1.2 | ||
| Reporting | 75.9 |
Three retailers scored full points – Fielmann in Germany, ThredUp in the US, and National Vision, also in the US.
Retailers’ domain scores by country
France (5.2) and Germany (5.1) had the highest average scores among retailers, while Japan and China had the lowest with 2.6 each. Japan also has the highest number of domains with zero protection.
Key country highlights:
| Country | Average score | # of entities | Zero protection (%) |
|---|---|---|---|
| France | 5.2 | 21 | 0 |
| Germany | 5.1 | 25 | 4 |
| Australia | 4.9 | 20 | 5 |
| Sweden | 4.8 | 10 | 0 |
| United States | 4.8 | 142 | 2 |
| Canada | 4.5 | 13 | 8 |
| Saudi Arabia | 4.0 | 10 | 20 |
| United Kingdom | 3.8 | 40 | 18 |
| India | 3.8 | 13 | 8 |
| China | 2.6 | 16 | 6 |
| Japan | 2.6 | 42 | 26 |
Domains with zero protections included a Japanese online shoe shop and a UK high-street retailer.
Country-by-country scores
Final thoughts
Our report highlights how each and every industry and country has room for improvement when it comes to email security. This is even the case within sectors and/or countries where email security is regulated to some degree.
For example, Europe’s GDPR doesn’t explicitly state that these protocols should be in place, but it does state that organizations must implement strict standards to help safeguard data. This perhaps explains why the likes of the Netherlands, Denmark, and Norway appear at the top of our rankings. But this doesn’t extend across all EU-regulated countries, with France, Germany, and Spain scoring far lower.
Equally, certain sectors within specific countries face heavier regulation. For example, in the US, the Department of Homeland Security (DHS) mandates that DMARC should be in use on all government agency email domains. And, in the UK, the Government Digital Service (GDS) requires DMARC across governmental domains, and with p=reject (hard fail)
If we look at our findings, 12 government entities in the US and three UK government agencies don’t employ DMARC (some of these are mentioned above).
As spam email campaigns continue to involve and utilize the likes of Google and the New York Times to induce a sense of trust, meeting basic email security standards has never been more crucial. Increased regulation may help spur organizations into action, but companies shouldn’t be waiting around to be told to safeguard their domains, particularly with what many would call standard protocols.
Methodology, limitations & sources
Domain selection
The list of companies (and their subsequent domains) were derived from industry lists of key/top companies within each sector. For example, the ICMF’s list of the world’s largest mutual and cooperative insurers was used for the insurance sector.
Any domains that weren’t available, e.g. those presenting a 404 error, were removed.
A full list of sources is detailed below.
DNS audit
We then resolved live DNS records for each domain. We queried TXT records at the apex for any SPF record, the qualifier on the trailing -all/~all/?all/+all mechanism, and the policy on any DMARC record at _dmarc.<domain>. We additionally tested for an MTA-STS policy files and DKIM records.
Scoring
Each domain was scored on an 8-point scale (SPF presence, SPF strict-fail qualifier, DMARC presence, DMARC enforcement, DMARC reporting destination, DKIM presence, MTA-STS publication, MTA-STS enforce mode).
Limitations
This audit checks the public, observable email-authentication posture of each domain at its apex. It does not assess subdomain posture (many large organizations enforce DMARC on a customer-facing subdomain while running monitor mode on the apex), internal mail-server configuration, anti-phishing tooling deployed by the organization’s mail provider, customer-side filtering, or human-targeted brand-protection programs.
Sources
https://www.icmif.org/wp-content/uploads/2024/05/ICMIF-Global-500-2024.pdf
https://companiesmarketcap.com
https://brandirectory.com/reports/banking
https://disfold.com/sector/healthcare/companies/
https://www.scimagoir.com/rankings.php
Data researcher: Mantas Sasnauskas