News & analysis

Accountancy email security in 2026: nearly there, not quite

Every UK accountancy firm we checked has a DMARC record - the best adoption of any sector - but 1 in 8 left it switched off at p=none, and is spoofable as a result.

Shaun Cooke

Shaun Cooke

2 min read
Accountancy email security in 2026: nearly there, not quite
Photo by Bia Limova on Pexels

Accountancy had the best DMARC adoption of any sector in our 2026 survey: every firm we checked has published a DMARC record. The catch is that 1 in 8 (13%) left it at p=none - set up, but never switched on - which is why they can still be spoofed despite having done the hard part.

This is a point-in-time, DNS-only survey; everything measured is public. It is the accountancy firms cut of our wider UK Email Impersonation Report 2026. Methodology is at the end.

How accountancy firms compares

accountancy firms13%
All UK sectors (average)21%
Healthcare (most exposed)38%

"Spoofable" = no DMARC record, or DMARC at p=none (monitor-only, blocks nothing).

The good news

100% of the accountancy firms we checked publish a DMARC record - the strongest adoption of any sector, and 87% have it at enforcement.

The gap that remains

The gap is the last step: 13% left DMARC at p=none, which monitors and blocks nothing. These firms look protected but are not - a forged email still reaches the inbox.

Why it matters for accountancy firms

HMRC has warned that agent accounts and credentials are a target for fraudsters, and ICAEW's cyber-security guidance recommends email and phishing protection alongside Cyber Essentials. A spoofed message from a trusted firm - about a tax payment or client account - is a direct route to fraud. See DMARC for accountants.

What accountancy firms should do

  1. Check where you stand - SealedMail's free health check scores your SPF, DKIM, DMARC, MTA-STS, TLS-RPT and BIMI in minutes, no sign-up.
  2. Get aggregate reporting so you can see who is sending in your name - especially if you relied on the retired NCSC Mail Check (migration guide).
  3. Switch it on: move from p=none to enforcement (the reports show you it is safe to do so). See how SealedMail helps accountancy firms.

Methodology

We checked 38 UK accountancy firms domains in June 2026 using public DNS lookups only (DMARC, SPF, MTA-STS, BIMI). Domains that did not resolve were excluded. "Spoofable" means no DMARC record or a policy of p=none; "at enforcement" means p=quarantine or p=reject. This is a snapshot of recognisable firms; smaller practices are likely more exposed. We have not named individual organisations. Full cross-sector data is in the UK Email Impersonation Report 2026.

Check your domain free →

Related reading

Shaun Cooke
Shaun Cooke

Founder of SealedMail and a UK email-security specialist in DMARC, SPF, DKIM and email authentication for regulated sectors. He personally reads the DMARC and TLS reports behind every SealedMail account and writes the company's plain-English guides. More from Shaun Cooke →