Cyber insurance and email security: what underwriters look for

Cyber insurance has grown up. A few years ago a proposal form asked little more than your turnover and whether you used antivirus; today’s questionnaires run to pages of specific technical controls - and somewhere among the questions about multi-factor authentication and backups sits a line that stops many business owners cold: Does the organisation enforce email authentication (SPF, DKIM, DMARC) on its domains?

This post explains why that question is there, what your answer signals to an underwriter, and how to handle it honestly - including the awkward case where the truthful answer is “we’re not sure.”

Why insurers care about email specifically

Underwriters price risk from claims data, and the claims data points overwhelmingly at email. The frauds that generate cyber claims - payment diversion, invoice fraud, executive impersonation, the family covered in Business email compromise: what UK firms need to know - begin with an email far more often than with any exotic technical attack. The average cost of a UK data breach reached £3.4m (IBM Cost of a Data Breach Report, 2024); for the small-business claims insurers actually pay, the typical story is smaller but identical in shape: a convincing email, a payment, a claim.

So the questionnaire asks about the controls that change that story. Multi-factor authentication addresses mailbox takeover. Email authentication - SPF, DKIM and DMARC - addresses the other entry point: criminals sending mail as the business without touching its systems at all.

What your answers mean to an underwriter

Reading the form from the underwriter’s side of the desk:

“DMARC at p=reject, monitored” says: this business has closed the free attack (exact-domain spoofing), can see attempts against its name, and - because reaching enforcement safely requires weeks of disciplined report-reading - demonstrably follows through on security work. That last inference matters as much as the control itself; questionnaires are partly a proxy for organisational seriousness.

“DMARC at p=none” says: a record exists and blocks nothing. Underwriters increasingly know the difference - the questions have grown more precise for exactly this reason, with forms now asking for the policy level, not just “do you have DMARC?”. (If yours is at none, Why p=none is not protecting you is the explainer, and Getting to DMARC p=reject is the route out.)

“No” or “don’t know” says: the cheapest, most common impersonation attack is open against this business’s clients and suppliers. Depending on insurer and sector, the consequence ranges from a higher premium to an exclusion to a declined risk.

A word of caution that should not need saying but does: answer accurately. A proposal form is the basis of the contract, and an answer that overstates your controls - ticking “yes” to enforced DMARC when the domain sits at p=none - is precisely the sort of discrepancy that surfaces during claims investigation, when it can do the most damage. If you do not know your domain’s actual state, find out before signing; it takes two minutes (see below).

From tick-box to evidence: the renewal advantage

Here is the practical gap in how most businesses handle this. At proposal time, someone asks the IT supplier, receives a reassuring sentence, ticks the box - and twelve months later, at renewal, repeats the ritual with no more evidence than before. Controls drift in between: SPF records break, DKIM keys rotate, a new sending service appears unauthenticated. The tick-box stays ticked; the reality underneath moves.

A monitored DMARC setup replaces the ritual with a record. SealedMail subscribers receive a weekly plain-English report confirming the domain’s authentication posture - policy level, record health, what sent mail as the domain and whether it authenticated, anything anomalous explained. By renewal time, that is a dated, continuous file demonstrating not just that the control existed but that it was watched, all year. For the email-security section of a questionnaire, the answer changes from “yes, I believe so” to “yes - enforced at p=reject, independently monitored weekly, reports available on request.” Brokers notice the difference; some insurers’ supplementary questionnaires now ask for exactly this kind of substantiation.

The honest boundaries: SealedMail provides monitoring and evidence, not insurance advice - your broker advises on cover, and no email control prevents every claim scenario. DMARC enforcement removes exact-domain spoofing and documents your vigilance; mailbox takeover and look-alike domains remain matters for multi-factor authentication and payment-verification procedures, which belong on the same questionnaire and in the same file.

Before the form arrives

The sensible sequence is to know your position before an underwriter asks for it. SealedMail’s Free Domain Health Check establishes it in one pass: your SPF, DKIM, DMARC (including the actual policy level), MTA-STS, TLS-RPT, BIMI and blacklist status, scored and explained in plain English, delivered by email. Free, no sign-up, no sales call - and the certificate itself is a tidy artefact for the insurance file, dated and specific, whatever it finds. For the foundations behind the questions, start with What is DMARC?.