Financial services email security in 2026: best-protected, but not done

Financial services tied for the best DMARC enforcement of any sector in our 2026 survey (90%) and led every sector on BIMI - the verified-logo standard that requires DMARC at enforcement first. Yet 1 in 10 firms can still be spoofed, and the sector has a clear blind spot: inbound encryption.

This is a point-in-time, DNS-only survey; everything measured is public. It is the financial services firms cut of our wider UK Email Impersonation Report 2026. Methodology is at the end.

How financial services firms compares

"Spoofable" = no DMARC record, or DMARC at p=none (monitor-only, blocks nothing).

The good news

Financial services had the joint-highest DMARC enforcement (90%) and led every sector on BIMI adoption (40%), the verified-logo standard that puts a brand's logo in the inbox and needs DMARC at enforcement to qualify.

The gap that remains

The soft underbelly is MTA-STS: only 12% publish it, so most firms do not enforce encryption on inbound mail. And the 1 in 10 still at p=none or with no DMARC are a real exposure under the FCA's Consumer Duty, where customer-facing brand impersonation is a foreseeable harm.

Why it matters for financial services firms

The FCA does not name DMARC, but its SYSC sourcebook and the Consumer Duty expect firms to take reasonable steps against foreseeable harms - and impersonation that defrauds customers in a firm's name is exactly that. See DMARC for financial services.

What financial services firms should do

1. Check where you stand - SealedMail's free health check scores your SPF, DKIM, DMARC, MTA-STS, TLS-RPT and BIMI in minutes, no sign-up.
2. Get aggregate reporting so you can see who is sending in your name - especially if you relied on the retired NCSC Mail Check (migration guide).
3. Close the gaps: bring the last domains to enforcement and add MTA-STS for inbound encryption. See how SealedMail helps financial services firms.

Methodology

We checked 40 UK financial services firms domains in June 2026 using public DNS lookups only (DMARC, SPF, MTA-STS, BIMI). Domains that did not resolve were excluded. "Spoofable" means no DMARC record or a policy of p=none; "at enforcement" means p=quarantine or p=reject. This is a snapshot of recognisable firms; smaller practices are likely more exposed. We have not named individual organisations. Full cross-sector data is in the UK Email Impersonation Report 2026.