The UK Email Impersonation Report 2026
We checked 198 major UK organisations and found around 1 in 5 can still be spoofed by email. The sector-by-sector findings.
In June 2026 SealedMail checked the public email-authentication posture of 198 well-known UK organisations across five sectors. The finding: even among the country's largest, best-resourced names, around 1 in 5 (21%) can still be impersonated by email - they have no DMARC enforcement, so an attacker can send messages that appear to come from their exact domain. In the sectors handling the most sensitive information it is worse: 38% of healthcare organisations and 32% of charities are spoofable.
This is a point-in-time, DNS-only survey. Everything measured is public; no systems were accessed and no email was sent. Full methodology is below.
Key findings
- 21% of organisations are spoofable - 41 of 198 had either no DMARC record (7%) or DMARC left at
p=none(14%), which monitors but blocks nothing. - Having DMARC is not the same as enforcing it. 93% publish a DMARC record, but only 79% have it set to enforcement (
quarantineorreject). The 14-point gap is organisations that did the setup but left the door open. - Healthcare is the most exposed sector - 38% spoofable, and 22% have no DMARC record at all, despite handling patient data and being referenced by the NHS Data Security and Protection Toolkit.
- Charities are second - 32% spoofable, mostly stuck at
p=none. - Inbound-encryption reporting is almost universally ignored - only 13% publish MTA-STS.
- BIMI is effectively a finance-only feature - 40% of financial firms publish it, versus 5% or fewer elsewhere.
Spoofable organisations, by sector
"Spoofable" = no DMARC record, or DMARC published at p=none. At p=none, receiving servers are told to take no action on messages that fail authentication, so impersonation still lands in inboxes.
The full picture
| Sector | n | DMARC | Enforced | Spoofable | SPF -all | MTA-STS | BIMI |
|---|---|---|---|---|---|---|---|
| Law firms | 40 | 95% | 90% | 10% | 40% | 18% | 5% |
| Accountants | 38 | 100% | 87% | 13% | 58% | 11% | 3% |
| Charities | 40 | 92% | 68% | 32% | 55% | 10% | 5% |
| Financial services | 40 | 100% | 90% | 10% | 70% | 12% | 40% |
| Healthcare | 40 | 78% | 62% | 38% | 48% | 15% | 2% |
| All sectors | 198 | 93% | 79% | 21% | 54% | 13% | 11% |
What the numbers mean
Setup is not protection
Almost everyone (93%) has a DMARC record, but a record at p=none protects nobody - it only collects reports. The dangerous middle ground is the 14% who published DMARC and then never moved it to enforcement, often because, without aggregate reports, they were afraid of blocking legitimate mail. (That fear is exactly what reporting solves - see getting to p=reject safely.)
Healthcare and charities are the soft targets
The two sectors most likely to be impersonated in a fraud - a fake message from a hospital, or a donation appeal in a charity's name - are also the least protected. Healthcare's 22% "no DMARC at all" is striking given the NHS Data Security and Protection Toolkit references SPF, DKIM and DMARC directly. Charities, often running on thin IT budgets, mostly get as far as p=none and stop.
Almost nobody enforces inbound encryption
Only 13% publish MTA-STS, the record that tells sending servers to require TLS when delivering to you. It is the single most-neglected control we measured - and the one Mail Check used to report on, now that it has retired.
BIMI is a finance story
BIMI - the standard that puts your verified logo in the inbox - has barely been adopted outside financial services (40%), where brand trust is a competitive issue. It requires DMARC at enforcement first, which is partly why adoption tracks the sectors that already enforce.
If you are worried you might be on this list
Three steps, in order:
- Check where you stand. SealedMail's free health check audits your SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI and blacklist status and emails you a scored certificate - no sign-up.
- Get aggregate reporting in place so you can see who is sending in your name - especially if you relied on the now-retired NCSC Mail Check (migration guide).
- Move to enforcement. Use the reports to fix legitimate senders, then progress
p=none→quarantine→reject.
Methodology
Sample: 198 well-known UK organisations - roughly 40 in each of five sectors (law firms, accountants, charities, financial services, healthcare), chosen as recognisable names plus a spread of mid-market and regional organisations. Conducted June 2026.
Method: public DNS lookups only. For each domain we queried the DMARC record (_dmarc), SPF (TXT), MTA-STS (_mta-sts) and BIMI (default._bimi). Domains that did not resolve were excluded. "Spoofable" means no DMARC record, or a DMARC policy of p=none. "At enforcement" means p=quarantine or p=reject. "SPF hard-fail" means an SPF record ending in -all.
Caveats: this is a point-in-time snapshot, and the sample deliberately skews towards larger, better-resourced organisations - so the true picture across UK SMEs is very likely worse, not better. We have not named individual organisations: the aim is to show the scale of the gap, not to shame anyone. We will refresh this report annually.
Compiled by Shaun Cooke, founder of SealedMail, a UK DMARC and email-security monitoring service. Questions or want the underlying sector data? Get in touch.
Related reading
Sources and further reading
Founder of SealedMail and a UK email-security specialist in DMARC, SPF, DKIM and email authentication for regulated sectors. He personally reads the DMARC and TLS reports behind every SealedMail account and writes the company's plain-English guides. More from Shaun Cooke →
