NHS and healthcare email security in 2026

Healthcare was the most impersonable sector in our 2026 survey of UK organisations - and the most exposed part of it is the NHS itself. Of 21 NHS trust and body domains we checked, 52% could be spoofed by email and 38% had no DMARC record at all. Private and independent healthcare was markedly better protected, at 22% spoofable.

This is a point-in-time, DNS-only survey; everything measured is public and no systems were accessed. It is the healthcare cut of our wider UK Email Impersonation Report 2026. Methodology is at the end.

NHS trusts vs private healthcare

The headline that surprised us: the NHS, not the private sector, is where the exposure concentrates.

"Spoofable" = no DMARC record, or DMARC published at p=none (monitor-only, blocks nothing).

The important nuance: NHSmail is not the problem

NHS staff email runs on NHSmail (the @nhs.net system), which is centrally managed and applies email authentication, including DMARC, by default. That is not where the gap is.

The gap we measured is in trusts' own domains - the .nhs.uk addresses on their websites, local services, departmental mailboxes and supplier correspondence. Those domains are each organisation's own responsibility, and they are exactly what an attacker spoofs to phish patients, staff or suppliers in a trust's name. A patient has no way to tell a genuine message from one forged on an unprotected trust domain.

What the DSPT actually expects

This is not optional good practice. The NHS Data Security and Protection Toolkit names SPF, DKIM and DMARC directly in its assessment guidance (Standard 6, assertions 6.2.8-6.2.9): the records "should be implemented" and DMARC "enforced on all inbound email". NHSmail provides this by default, and NHSmail-only organisations are not required to monitor it - but the moment you send from your own domain, that domain is yours to get right. We cover what that means for GP surgeries, dental practices and care providers in DMARC and the NHS DSPT.

Why it matters in healthcare specifically

Healthcare is a high-trust, high-target sector. A spoofed message from a hospital, GP practice or care provider can move money (invoice and mandate fraud), harvest credentials, or push malware - and it trades on the one thing healthcare cannot afford to lose: patient trust. Of all the sectors we surveyed, it is both the most likely to be impersonated and the least protected.

What healthcare organisations should do

1. Check your own domain - not just NHSmail. SealedMail's free health check scores your SPF, DKIM, DMARC, MTA-STS, TLS-RPT and BIMI in minutes, no sign-up.
2. Get aggregate reporting in place so you can see who is sending in your name - especially if you relied on the retired NCSC Mail Check (migration guide).
3. Move to enforcement - use the reports to fix legitimate senders, then progress p=none → quarantine → reject. See how SealedMail helps healthcare teams.

Methodology

We checked 40 UK healthcare domains in June 2026 - 21 NHS trusts and national bodies (.nhs.uk) and 19 private or independent providers - using public DNS lookups only (DMARC, SPF, MTA-STS, BIMI). One domain did not resolve and was excluded. "Spoofable" means no DMARC record or a policy of p=none; "at enforcement" means p=quarantine or p=reject. This is a point-in-time snapshot of recognisable organisations; smaller practices are likely more exposed, not less. We have not named individual organisations. Full cross-sector data is in the UK Email Impersonation Report 2026.