Charity email security in 2026: stuck at the starting line

Charities are the UK sector most likely to set up DMARC - and then stop. In our 2026 survey, charities had the weakest DMARC enforcement of any sector: most of those exposed have published a DMARC record but left it at p=none, which monitors but blocks nothing. The result: a quarter of the UK's largest charities (25%) can still be impersonated by email, rising to 29% among mid-size and specialist charities.

This is a point-in-time, DNS-only survey of 41 UK charities; everything measured is public. It is the charity cut of our wider UK Email Impersonation Report 2026. Methodology is at the end.

The numbers

"Spoofable" = no DMARC record, or DMARC published at p=none.

Stuck at the starting line

The defining charity pattern is not an absence of effort - it is an unfinished one. Most exposed charities have a DMARC record; they have simply left it at p=none. At p=none, receiving mail servers are told to take no action on messages that fail authentication, so a forged email still lands in the inbox. It is protection on paper, not in practice.

Why so many stall: charities rarely have in-house email-security staff, and moving from p=none to enforcement feels risky without aggregate reports to show which legitimate senders might be blocked. Those reports are exactly what unblocks the final step - see getting to p=reject safely. The smaller-charity picture is slightly different: they are more likely to have no DMARC record at all (14%, versus 5% of the big names).

Why charities are a target

Charities run on trust and on email: donation appeals, supporter updates, grant and supplier correspondence. That makes a charity's name valuable to impersonate - for fake appeals, donor-data phishing and invoice fraud. The Charity Commission, in guidance refreshed with the NCSC, has urged charities to protect themselves against cybercrime and fraud, and reported hundreds of fraud cases across the sector in a single year. Trustees carry a duty to safeguard the charity's resources - and its identity is one of them.

What charities should do

1. Check where you stand - SealedMail's free health check scores your SPF, DKIM, DMARC, MTA-STS, TLS-RPT and BIMI in minutes, no sign-up.
2. Get aggregate reporting so you can safely move past p=none - especially if you relied on the retired NCSC Mail Check (migration guide).
3. Finish the job: progress p=none → quarantine → reject. See how SealedMail helps charities and our email security for charities guide.

Methodology

We checked 41 UK charities in June 2026 - 20 of the largest, household-name organisations and 21 mid-size or specialist charities - using public DNS lookups only (DMARC, SPF, MTA-STS, BIMI). Domains that did not resolve were excluded. "Spoofable" means no DMARC record or a policy of p=none; "at enforcement" means p=quarantine or p=reject. This is a point-in-time snapshot of recognisable charities; the very smallest are likely more exposed still. We have not named individual organisations. Full cross-sector data is in the UK Email Impersonation Report 2026.