惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

L
LINUX DO - 最新话题
C
Cyber Attacks, Cyber Crime and Cyber Security
G
GRAHAM CLULEY
T
Tenable Blog
T
Threatpost
C
CXSECURITY Database RSS Feed - CXSecurity.com
I
Intezer
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
D
Darknet – Hacking Tools, Hacker News & Cyber Security
K
Kaspersky official blog
Security Latest
Security Latest
P
Privacy & Cybersecurity Law Blog
Google Online Security Blog
Google Online Security Blog
SecWiki News
SecWiki News
P
Palo Alto Networks Blog
TaoSecurity Blog
TaoSecurity Blog
Webroot Blog
Webroot Blog
Spread Privacy
Spread Privacy
O
OpenAI News
The Last Watchdog
The Last Watchdog
P
Proofpoint News Feed
C
Check Point Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
人人都是产品经理
人人都是产品经理
S
Security @ Cisco Blogs
Scott Helme
Scott Helme
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
月光博客
月光博客
S
Securelist
酷 壳 – CoolShell
酷 壳 – CoolShell
V
V2EX
T
Troy Hunt's Blog
W
WeLiveSecurity
GbyAI
GbyAI
N
News | PayPal Newsroom
Y
Y Combinator Blog
C
Cisco Blogs
H
Help Net Security
The GitHub Blog
The GitHub Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
博客园 - 【当耐特】
Jina AI
Jina AI
MongoDB | Blog
MongoDB | Blog
P
Proofpoint News Feed
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
云风的 BLOG
云风的 BLOG
小众软件
小众软件
N
News and Events Feed by Topic

Comparitech

How to watch McGregor vs Holloway 2 (UFC 329) from anywhere Medical billing firm MCBS warns 300,000+ patients of data breach - Comparitech Ransomware Roundup: H1 2026 stats on attacks, ransoms, and active gangs - Comparitech Colorado Health Network warns 68,000+ people of data breach that leaked SSNs, credit cards, and medical records - Comparitech Middletown, OH warns 123,000+ people of data breach that leaked SSNs, financial and medical info - Comparitech DeGoogling your life: What is it and how do you do it? How to opt out of Meta AI data collection - Comparitech Is CurseForge safe? Common risks and how to mod safely - Comparitech Cybercriminals say they hacked New South Wales Rural Fire Service - Comparitech Grandview School District warns 9,000+ people of data breach 21 months later - Comparitech Kootenai County, ID warns residents of government data breach that leaked personal info - Comparitech What is Kik? Is it safe for kids? - Comparitech Cybercriminals say they hacked Reynella East College - Comparitech Are UK council websites adhering to government security guidelines? - Comparitech Bellflower Unified Schools warns students of data breach that leaked SSNs - Comparitech What are location services and how do they work? - Comparitech How to bypass Xbox age verification - Comparitech What is a Minecraft dedicated IP? Do you need one? The best Discord alternatives in 2026 - Comparitech How to watch UFC Freedom 250: Stream UFC White House online Taos Mountain Casino warns of data breach that leaked SSNs Cybercriminals give Delano Public Schools two weeks to pay ransom How to fix ‘Your connection is not private’ in Chrome Plaza Home Mortgage warns 138,000 people of data breach that leaked SSNs How to watch the NBA Finals live online from anywhere Cybercriminals take credit for Singing River Health System data breach How Spammers Are Hiding Behind Google and the New York Times Ransomware roundup: May 2026 Iowa hospital warns 24,000+ people of data breach that leaked SSNs, medical and financial info 80K+ people notified of data breach at Louisiana university that leaked SSNs & bank info Finance firm IMA warns 525,000+ people of data breach Auto lender IAC warns 79,000+ people of data breach that leaked SSNs Sandstone, MN says SSNs and financial info compromised in ransomware data breach Las mejores herramientas de gestión de Active Directory Die besten Active-Directory-Management-Tools I Migliori Strumenti di Gestione di Active Directory Las mejores herramientas de gestión de logs Die besten Log-Management-Tools I migliori strumenti di log management Watching You, Funded by You: Number of CCTV Cameras by UK Council & Police Force Las mejores herramientas SIEM para alertas de seguridad automatizadas Die besten SIEM-Tools für automatisierte Sicherheitswarnungen I migliori strumenti SIEM per gli avvisi di sicurezza automatizzati Software maker warns 200,000 Frost Bank customers in Texas of data breach Oregon employment firm notifies 142,000+ people of two data breaches claimed by ransomware gangs Cybercriminals say they hacked Harrison County, WV commission, demand ransom Cybercriminals say they breached AdvancedHealth, Tennessee clinic confirms Fluke Corp notifies 18,000+ people of data breach that leaked SSNs What is Token-Based Authentication? Tokens Explained Western Orthopaedics warns 113,000+ people of data breach that leaked SSNs, credit cards, and medical info What is ARP? ARP protocol explained What is symmetric encryption? Crunchyroll VPN not working? Fix buffering, errors & region blocks American Lending Center notifies 123,000+ people of data breach that leaked SSNs How to watch Oleksandr Usyk vs Rico Verhoeven online Cybercriminals say they hacked CarePoint Health, stole data Ransomware gang claims attack and data theft from UK city school Horizon Media reports data breach of SSNs, cybercriminals take credit Claude VPNs (and how to use Claude safely) What is GhostPairing on WhatsApp? What is a prompt injection attack? Where do leaked passwords end up? A statistical analysis of the dark web’s credential pipeline Ransomware roundup: April 2026 Suffolk, VA warns 157,000+ people of data breach that leaked SSNs, finances How to watch UFC 328 (Chimaev vs Strickland) from anywhere Cybercriminals say they hacked Winona County, MN (again) Keeper vs 1Password: Which password manager is best in 2026? What is F-Droid? Is it safe? Proton VPN Secure Core: What is it, and should you use it? What is an agentic browser? Features and how to use them safely Sandhills Medical Foundation warns patients of data breach Cybercriminals say they hacked Massachusetts Development Finance Agency, its second breach in 2 years STELIA Aerospace confirms cyber attack on North American systems. $2.07 million ransom issued Debt collector Rodenburg Law Firm warns 81,307 people of data breach Healthcare ransomware roundup: Q1 2026 stats on attacks, ransoms, and data breaches How to block ads on Paramount Plus A complete guide to smart speaker privacy What is the Great Firewall of China Cybercriminals say they hacked Rusk County, WI What is a decentralized VPN? Do you need a dVPN? Southern Illinois Dermatology warns patients of data breach that leaked SSNs 92,000 people notified of data breach following cyber attack at Puerto Rican hospital Cybercriminals say they hacked Minidoka Memorial Hospital, demand ransom What is sensitive data? Types and how to protect yourself Inside RAMP: What a leaked database reveals about Russia’s ransomware marketplace What is a passphrase? Are they safer than passwords? Phoenix Art Museum warns of data breach that leaked SSNs Mozilla VPN vs NordVPN – VPN Comparison Guide Cookeville Regional Medical Center warns 338,000 people of data breach Antimalware vs Antivirus: What’s the difference? What is URL phishing? Examples and how to stay safe How to use a VPN in Bhutan (and the best options) Cybercriminals give Brockton, MA hospital one week to pay ransom after hack Is Truth Social safe? Everything you need to know What is cyberwarfare? Medical implant maker TriMed warns 80,000+ people of data breach Ransomware roundup: Q1 2026 Heart South Cardiovascular Group warns 46,000+ people of data breach Cybercriminals say they hacked Community College of Beaver County Critical Infrastructure at Risk: 179 ICS Devices Exposed Online
Which industry & country has the worst email security? An analysis of 5,800+ domains for SPF, DMARC, DKIM & MTA-STS protocols - Comparitech
Rebecca Moody · 2026-06-25 · via Comparitech

Which industry & country has the worst email security

Every day, cybercriminals send around 3.4 billion phishing emails. 90 percent of successful cyber attacks originate from one of these emails.

We analyzed the live DNS records for 5,849 domains across 13 sectors, scoring each domain on eight points based on its Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting, and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Mail Transfer Agent Strict Transport Security (MTA-STS).

96 percent of IT security and decision makers expect to see email security challenges throughout 2026, so you’d be forgiven for thinking that most organizations would be meeting the basics. However, our findings found that more than eight percent of organizations’ domains are fully unprotected, meaning they have no SPF, DMARC, DKIM, or MTA-STS measures in place. A mere 0.6 percent scored full marks for having all of the protections in place and at the highest level.

Which industries have the worst email security?

Government agencies and healthcare providers*.

Government agencies had the lowest average score by far (2.73) and had the highest number of unprotected domains with nearly 27 percent in total. Healthcare providers had the second-lowest average score (3.43) and the second-highest rate of unprotected domains (more than 19%).

In contrast, technology companies had the highest average score (4.83) and the lowest rate of domains with zero protection (2%).

What about the worst countries**?

Asian countries/territories had the lowest average scores, with China (2.3), South Korea (2.84), Hong Kong (3.07), and Japan (3.53) ranking among the lowest. The European countries of France (3.77), Germany (3.8), and Spain (3.98) also scored poorly.

Among the highest-scoring countries were the Netherlands (5.51), Denmark (5.33), Norway (5.31), and Finland (5.19).

China (28%), Hong Kong (26%), and France (16%) had the highest percentage of domains with zero protection. Seven countries, including the United Arab Emirates and Poland, had zero domains with no protection. Switzerland also had just less than 2 percent.

*We looked at healthcare providers (those providing direct care to patients) and healthcare businesses (e.g. pharmaceutical or medical device manufacturers) separately.

**Countries without large datasets, those with less than 10 scanned domains, haven’t been included in the country-by-country analysis.

All of the companies mentioned in the article have been contacted for comment (except those with full 8/8 scores). Any responses received will be added to the end of the article.

Key findings:

  • 487 of the total domains scanned (5,849) had zero protection (8.3%)
  • Just 33 of the total domains had full protection (0.6%)
  • Average score across all domains – 4.2
  • Government domains had the lowest average score – 2.73
  • Tech company domains had the highest average score – 4.83
  • Government domains had the highest percentage of domains with zero protection – 27%
  • Tech company domains had the lowest percentage of domains with zero protection – 2%
  • China had the lowest average score – 2.3
  • The Netherlands had the highest average score – 5.51
  • China had the highest percentage of domains with zero protection – 28%
  • 90 percent of all domains had SPF protocols in place
  • 81 percent of all domains had DMARC protocols in place
  • 55 percent of all domains had DKIM protocols in place
  • Just over 3 percent of all domains had MTA-STS protocols in place

Scoring

For scores used in the context of this article, each domain was given a score out of 8, with 8 being fully protected and 0 indicating no protection:

  • SPF presence – checks whether incoming emails are from authorized domains (1 point)
  • SPF hard fail (“-all”) – explicitly rejects/discards any emails that don’t come from the authorized list of domains (1 point)
  • SPF soft fail “~all”) – sends an email to spam rather than rejecting it completely (0.5 points)
  • DMARC presence – a DMARC record has been created within the domain’s DNS settings, enabling email receivers to check the authenticity of the received emails (1 point)
  • DMARC enforcement – the policy contains p=quarantine (0.5 points) or p=reject (1 point) for messages that don’t pass authentication checks. Any with p=none do not get an additional point, as these will go straight through
  • DMARC reporting destination – feedback reporting has been enabled and the recipient of these reports has been specified (1 point)
  • DKIM presence – uses a digital signature to notify the recipient that the message is coming from an address that’s been authorized by the domain
  • MTA-STS publication – tells email senders that an organization’s domain is using encrypted Transport Layer Security (TLS) connections (1 point)
  • MTA-STS enforce mode – if a secure connection cannot be established, the email will be rejected and it will not be delivered in its unencrypted state (1 point). Those in “testing” mode score 0.5 points, those highlighted as “broken” or “none” scored 0

Government: the sector with the worst email security

Average score: 2.73.

Rank: 13/13

121 out of the 452 domains we scanned had zero protections in place (27%)–the highest of all sectors.

SPF%DMARC%DKIM%MTA-STS%
Has71.7Has53.3Has26.5Has1.8
Hard fail40.9Rejects13.9Enforcing1.1
Soft fail25.4Quarantines12.4Testing0.4
Reporting44.2

No government domains scored full marks, but three did score 7.5 – Australia’s national science agency (CSIRO), the Mila – Quebec Artificial Intelligence Institute in Canada, and The Alan Turing Institute in the UK (also dedicated to data science and artificial intelligence).

Each dropped half a point for a different reason: CSIRO has its MTA-STS in the testing phase, Mila has soft-fail SPF, and Turing quarantines emails that don’t pass DMARC checks, rather than rejecting them.

Government domain scores by country

Where more than 10 domains were scanned within the country, the UK (4.6) and the US were the top scorers (3.9). The UK also had the lowest percent of domains with zero protection (6%), but 17 percent of domains were unprotected in the US.

China (0.9) and France (1.4) had the lowest average scores. Both of these countries also had the highest number of fully unprotected domains with 65 and 47 percent, respectively.

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
United Kingdom4.6166
United States3.94617
Spain3.55311
South Korea2.91118
Germany2.9798
Italy2.41513
France1.45147
China0.99465

Technology: the sector with the best email security

Average score: 4.83.

Rank: 1/13

10 out of the 498 domains we scanned had zero protections in place (2%)–the lowest of all sectors.

SPF%DMARC%DKIM%MTA-STS%
Has97.6Has91.6Has68.9Has4.4
Hard fail51.6Rejects46.6Enforcing1.8
Soft fail40.8Quarantines30.5Testing2.0
Reporting84.3

Two tech companies’ domains scored full marks – microsoft.com and f5.com. A further 10 scored 7.5 – six of these were in the US and the others in Spain, Switzerland, Sweden, and the Netherlands.

Of the 10 without any protections, four were in China, and the others were in Hong Kong, Germany, Taiwan, South Korea, the Netherlands, and India.

Technology domain scores by country

The countries with the highest average scores were Israel (5.5) and the US (5.3). Both countries had no domains without any protections, as did Japan and Canada.

China and South Korea had the lowest average scores with 3.3 each.

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
Israel5.5110
United States5.32560
Canada4.9110
Japan4.6350
Germany4.4119
Taiwan4.3284
China3.3528
South Korea3.31010

Healthcare providers: well below average

Average score: 3.43.

Rank: 12/13

85 out of the 438 domains we scanned had zero protections in place (19%)–the second highest of all sectors.

SPF%DMARC%DKIM%MTA-STS%
Has77.4Has65.5Has41.6Has2.5
Hard fail40.4Rejects30.8Enforcing1.1
Soft fail32.9Quarantines12.8Testing1.1
Reporting60.0

Four domains scored full points. Three of these were part of the UK’s NHS (NHS Blood and Transplant, Manchester University NHS Foundation Trust, and University Hospitals Birmingham NHS Foundation Trust), and one was the Dutch cancer specialist, Prinses Máxima Centrum.

A further three domains (one each in the US, UK, and Netherlands) scored 7.5, each dropping 0.5 for MTA-STS being in the testing phase.

Healthcare providers’ domain scores by country

The Netherlands had the highest average score (6), while China (2.1) and Spain (2.6) had the lowest. The UK also had a low average score (2.9).

China also had the highest percentage of domains without any protections (45%), followed by the UK (37%).

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
Netherlands6.0110
France4.2130
United States3.917412
Italy3.31315
Germany3.2268
Australia3.12124
Canada3.01828
United Kingdom2.94337
Spain2.63129
China2.12045

Among the domains with zero protections were a US healthcare company operating across over 500 locations and an NHS Trust in the UK.

Healthcare businesses: marginally better than their counterparts

Average score: 4.1

Rank: 10/13

50 out of the 462 domains we scanned had zero protections in place (11%).

Healthcare businesses scored slightly better than healthcare providers across all categories, but still had the fourth-lowest average score and the third-worst zero-protection rate.

SPF%DMARC%DKIM%MTA-STS%
Has88.1Has78.1Has58.4Has2.6
Hard fail46.3Rejects35.5Enforcing1.1
Soft fail38.1Quarantines19.0Testing1.1
Reporting71.0

Just one domain scored full points – Revolution Medicines in the US. Five scored 7.5: Amgen in the US, bioMérieux in France, Fagron in Belgium, Fresenius (FSE) in Germany, and Verona Pharma* in the UK. All of them dropped 0.5 points for having MTA-STS in testing, aside from bioMérieux, which had MTA-STS in enforcement mode but DMARC in quarantine mode.

*Verona Pharma is now part of U.S. Merck.

Healthcare businesses’ domain scores by country

The UK had the highest average score (4.9), but was closely followed by Switzerland (4.8) and the US (4.7). China (2.1) had the lowest average score and the highest percentage of domains without any protections (36%).

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
United Kingdom4.9120
Switzerland4.8130
United States4.72063
Ireland4.51010
Japan3.33013
China2.19536

Among those scoring zero were a biopharmaceutical company with a $500M+ turnover in the US and an Irish pharmaceutical manufacturer.

Universities: the p=none paradox

Average score: 4.25

Rank: 8/13

21 out of the 498 domains we scanned had zero protections in place (4%).

Despite universities having the fifth-lowest percentage of domains with zero protection and the most domains with MTA-STS protocols, they had the highest number of domains with DMARC p=none. In short, despite nearly 86 percent of the universities we audited having a DMARC record in place, a meaningful share (42%) have stalled in monitoring mode and never flipped to enforcement.

SPF%DMARC%DKIM%MTA-STS%
Has94.8Has85.5Has62.9Has6.2
Hard fail38.8Rejects20.3Enforcing3.4
Soft fail44.6Quarantines23.3Testing2.6
Reporting77.7

Five universities scored full marks. Wageningen University & Research in the Netherlands, the Australian National University, the University of Auckland in New Zealand, and the University of Southampton and the University of Bath in the UK.

Universities’ domain scores by country

The Netherlands had the highest average score (6), followed by Australia (5.4) and the UK (5.2). China (3.1), Germany (3.3), and South Korea (3.4) had the lowest scores.

Japan (10%) and China (8%) had the highest rate of unprotected domains.

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
Netherlands6.0120
Australia5.4180
United Kingdom5.2323
Spain4.9150
United States4.81175
Italy4.5176
Canada4.2170
France3.6140
Japan3.51010
South Korea3.4140
Germany3.3274
China3.11068

Among the domains that scored zero were a Japanese university and a medical university in Germany.

Law firms: mid-table with some judgement required

Average score: 4.51

Rank: 5/13

19 out of the 495 domains we scanned belonging to legal firms had zero protections in place (4%)–the fourth lowest of all sectors.

SPF%DMARC%DKIM%MTA-STS%
Has95.6Has88.9Has55.4Has4.2
Hard fail48.5Rejects40.4Enforcing2.8
Soft fail40.4Quarantines30.5Testing1.4
Reporting79.0

Three domains scored full points – Schjødt in Norway, MinterEllisonRuddWatts in New Zealand, and Linklaters in the US. A further seven scored 7.5 – six of these were in the UK and one in the US. All of the UK domains had soft-fail SPF, while the US domain had MTA-STS in testing mode.

Law firm domain scores by country

The UK had the highest average score (5.5) and China had the lowest (2.1). China also had the highest number without any protections (38%).

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
United Kingdom5.5420
Brazil5.2100
India5.0120
Germany4.9110
Australia4.8140
France4.7100
United States4.51894
Canada4.4180
Italy4.4100
China2.12438

19 domains had no protections.

Insurance companies & financial institutions: joint second place

Average Score: 4.57 (both sectors)

Rank: 2/13
17 out of the 490 domains we scanned for insurance firms and 16 out of the 496 domains we scanned for finance companies had zero protections in place (3% each).

Please note: some of the finance companies may also offer insurance packages, but these are included alongside financing/banking options.

Insurance:

SPF%DMARC%DKIM%MTA-STS%
Has94.3Has89.4Has60.4Has4.5
Hard fail55.9Rejects39.0Enforcing2.4
Soft fail35.5Quarantines26.5Testing1.8
Reporting79.4

Four insurance companies had perfect scores, including Beneva of Canada, WCF Insurance, Pinnacol Assurance, and FFVA Mutual of the US.

Finance:

SPF%DMARC%DKIM%MTA-STS%
Has94.8Has86.1Has44.8Has1.8
Hard fail69.8Rejects55.8Enforcing1.2
Soft fail22.8Quarantines17.1Testing0.6
Reporting82.5

Five finance companies also had perfect scores but, in this case, none of these were in the US. Rather, these were Nykredit in Denmark, Bank Muscat in Oman, Berner Kantonalbank in Switzerland, Commerzbank in Germany, and Belfius in Belgium.

Insurance company domain scores by country

Canada had the highest overall score (5.5), while Japan had the lowest (3.2)

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
Canada5.5170
Denmark5.2130
Netherlands5.1166
Australia4.8230
United Kingdom4.8180
United States4.72043
Spain4.2130
France4.23913
Germany4.1363
Austria3.31020
Japan3.2220

Of the domains with zero protections, most of these were in the US (6) and France (5).

Finance company domain scores by country

Brazil had the highest overall score (5.7), while China had the lowest (2.2).

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
Brazil5.7100
United Arab Emirates5.5110
Philippines5.4110
United Kingdom5.2180
United States5.1690
Italy5.0150
Saudi Arabia4.7100
India4.6195
Germany4.6120
Switzerland4.3140
Japan4.1277
Vietnam4.0130
Taiwan3.3176
China2.25313

Most of the domains without any protections were in China (7).

Non-profit organizations: budgets may be allocated elsewhere

Average score: 3.86

Rank: 11/13

21 out of the 212 domains we scanned had zero protections in place (10%).

SPF%DMARC%DKIM%MTA-STS%
Has89.6Has74.1Has56.6Has3.8
Hard fail50.0Rejects18.4Enforcing1.4
Soft fail36.3Quarantines22.2Testing2.4
Reporting61.3

None of the non-profit domains we analyzed scored 8 out of 8 but two scored 7.5. These were the Center for International Climate Research (CICERO) in Norway and the LSU AgCenter in the US. CICERO has DMARC in quarantine mode, while LSU AgCenter has MTA-STS in testing mode.

Non-profit organizations’ domain scores by country

The US had the highest average score with 4.6, while China had the lowest with 1.6

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
United States4.6457
Spain3.8166
Portugal3.81217
Germany2.8130
China1.61932

Among those domains with zero protections was a non-profit research company headquartered in Portugal.

Manufacturers: need to make progress

Average score: 4.19

Rank: 9/13

39 out of the 460 domains we scanned had zero protections in place (8%).

SPF%DMARC%DKIM%MTA-STS%
Has90.0Has79.1Has54.6Has3.0
Hard fail52.8Rejects33.3Enforcing1.5
Soft fail35.4Quarantines25.0Testing1.1
Reporting73.9

Three manufacturers’ domains scored full points. These were Wärtsilä and Valmet in Finland and the LISI Group in France.

Manufacturers’ domain scores by country

Switzerland comes out on top with an average score of 5.6 and is closely followed by Sweden with 5.4. South Korea features at the bottom with an average score of 2.1, while China has the highest percentage of domains with zero protection (20%).

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
Switzerland5.6170
Sweden5.4100
Canada5.2110
Italy5.1120
France4.9138
United States4.81024
Germany4.4248
India4.0378
Japan3.410312
China3.05420
South Korea2.11118

Included within the domains with zero protection were a global manufacturer with a head office in Japan and an Indian-based manufacturer with a global turnover of over $27 billion USD.

Airlines: fly in mid-table

Average score: 4.29

Rank: 6/13

18 out of the 369 domains belonging to airlines that we scanned had zero protections in place (5%).

SPF%DMARC%DKIM%MTA-STS%
Has93.5Has81.8Has66.7Has1.9
Hard fail54.5Rejects27.1Enforcing0.3
Soft fail37.4Quarantines26.3Testing1.1
Reporting71.0

Just one airline secured the full 8 points – HK Express in Hong Kong. One more (JetSMART in Chile) scored 7.5, dropping half a point for its MTA-STS being in testing mode.

Airlines’ domain scores by country

Spain had the highest average score with 5.2 and China the lowest with 2.4. 21 percent of the domains in China also had zero protections.

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
Spain5.2100
United States5.1340
Canada4.9160
Russia4.2119
South Korea3.6100
China2.42421

Energy sector: just needs a little boost

Average score: 4.52

Rank: 4/13

30 out of the 486 domains belonging to energy companies that we scanned had zero protections in place (6%).

SPF%DMARC%DKIM%MTA-STS%
Has92.4Has85.6Has62.6Has3.1
Hard fail60.5Rejects41.8Enforcing1.2
Soft fail29.0Quarantines25.7Testing1.4
Reporting76.5

Equinor in Norway and OQ Gas Networks (OQGN) in Oman were the only two domains to score 8 points. Four further companies scored 7.5, including two in Canada, one in Finland, and one in the UK.

Energy companies’ domain scores by country

Norway’s energy company domains scored an average of 5.9, closely followed by the UK and Italy with 5.5. China scored 1.8 and had the highest number of domains with zero protections (27%), followed by India (17%)

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
Norway5.9100
United Kingdom5.5150
Italy5.5120
Brazil5.3100
Germany5.0120
Australia5.0140
Spain5.0110
Canada4.7514
United States4.71616
India3.92917
Thailand3.9120
China1.81127

Retail: needs to shop for better email protections

Average score: 4.26

Rank: 7/13

40 out of the 493 domains belonging to retailers that we scanned had zero protections in place (8%).

SPF%DMARC%DKIM%MTA-STS%
Has90.3Has82.4Has55.8Has3.0
Hard fail49.3Rejects39.8Enforcing1.2
Soft fail38.7Quarantines17.2Testing1.2
Reporting75.9

Three retailers scored full points – Fielmann in Germany, ThredUp in the US, and National Vision, also in the US.

Retailers’ domain scores by country

France (5.2) and Germany (5.1) had the highest average scores among retailers, while Japan and China had the lowest with 2.6 each. Japan also has the highest number of domains with zero protection.

Key country highlights:

CountryAverage score# of entitiesZero protection (%)
France5.2210
Germany5.1254
Australia4.9205
Sweden4.8100
United States4.81422
Canada4.5138
Saudi Arabia4.01020
United Kingdom3.84018
India3.8138
China2.6166
Japan2.64226

Domains with zero protections included a Japanese online shoe shop and a UK high-street retailer.

Country-by-country scores

Final thoughts

Our report highlights how each and every industry and country has room for improvement when it comes to email security. This is even the case within sectors and/or countries where email security is regulated to some degree.

For example, Europe’s GDPR doesn’t explicitly state that these protocols should be in place, but it does state that organizations must implement strict standards to help safeguard data. This perhaps explains why the likes of the Netherlands, Denmark, and Norway appear at the top of our rankings. But this doesn’t extend across all EU-regulated countries, with France, Germany, and Spain scoring far lower.

Equally, certain sectors within specific countries face heavier regulation. For example, in the US, the Department of Homeland Security (DHS) mandates that DMARC should be in use on all government agency email domains. And, in the UK, the Government Digital Service (GDS) requires DMARC across governmental domains, and with p=reject (hard fail)

If we look at our findings, 12 government entities in the US and three UK government agencies don’t employ DMARC (some of these are mentioned above).

As spam email campaigns continue to involve and utilize the likes of Google and the New York Times to induce a sense of trust, meeting basic email security standards has never been more crucial. Increased regulation may help spur organizations into action, but companies shouldn’t be waiting around to be told to safeguard their domains, particularly with what many would call standard protocols.

Methodology, limitations & sources

Domain selection

The list of companies (and their subsequent domains) were derived from industry lists of key/top companies within each sector. For example, the ICMF’s list of the world’s largest mutual and cooperative insurers was used for the insurance sector.

Any domains that weren’t available, e.g. those presenting a 404 error, were removed.

A full list of sources is detailed below.

DNS audit

We then resolved live DNS records for each domain. We queried TXT records at the apex for any SPF record, the qualifier on the trailing -all/~all/?all/+all mechanism, and the policy on any DMARC record at _dmarc.<domain>. We additionally tested for an MTA-STS policy files and DKIM records.

Scoring

Each domain was scored on an 8-point scale (SPF presence, SPF strict-fail qualifier, DMARC presence, DMARC enforcement, DMARC reporting destination, DKIM presence, MTA-STS publication, MTA-STS enforce mode).

Limitations

This audit checks the public, observable email-authentication posture of each domain at its apex. It does not assess subdomain posture (many large organizations enforce DMARC on a customer-facing subdomain while running monitor mode on the apex), internal mail-server configuration, anti-phishing tooling deployed by the organization’s mail provider, customer-side filtering, or human-targeted brand-protection programs.

Sources

https://www.icmif.org/wp-content/uploads/2024/05/ICMIF-Global-500-2024.pdf

https://companiesmarketcap.com

https://brandirectory.com/reports/banking

https://www.deloitte.com/content/dam/assets-shared/docs/industries/consumer/2025/deloitte-global-powers-of-retailing-2025.pdf

https://disfold.com/sector/healthcare/companies/

https://www.scimagoir.com/rankings.php

Data researcher: Mantas Sasnauskas