Law firm email security in 2026: the 1 in 10 still exposed

Law firms are among the best-protected sectors in our 2026 survey of UK organisations: 90% enforce DMARC. But 1 in 10 firms can still be spoofed by email - and they sit in the worst possible sector to be exposed, because email payment fraud is the single most common cyberattack reported to the legal regulator.

This is a point-in-time, DNS-only survey; everything measured is public. It is the law firms cut of our wider UK Email Impersonation Report 2026. Methodology is at the end.

How law firms compares

"Spoofable" = no DMARC record, or DMARC at p=none (monitor-only, blocks nothing).

The good news

Nine in ten law firms enforce DMARC (p=quarantine or p=reject), and law firms had the highest MTA-STS adoption of any sector we checked, at 18%.

The gap that remains

Even so, 18% is low - over four in five firms still do not enforce inbound encryption - and the 1 in 10 with no DMARC enforcement are exposed in a sector where impersonation directly enables conveyancing and client-account fraud.

Why it matters for law firms

The Solicitors Regulation Authority reports that email modification fraud - a criminal altering payment details mid-transaction - is the single most common cyberattack reported to it, accounting for 68% of the cybercrime reports it receives, with client-account and conveyancing money the target. The SRA's cyber-security guidance explicitly recommends DMARC. We cover the detail in DMARC for law firms.

What law firms should do

1. Check where you stand - SealedMail's free health check scores your SPF, DKIM, DMARC, MTA-STS, TLS-RPT and BIMI in minutes, no sign-up.
2. Get aggregate reporting so you can see who is sending in your name - especially if you relied on the retired NCSC Mail Check (migration guide).
3. Finish the job: move any p=none domains to enforcement, and add MTA-STS to close the inbound-encryption gap. See how SealedMail helps law firms.

Methodology

We checked 40 UK law firms domains in June 2026 using public DNS lookups only (DMARC, SPF, MTA-STS, BIMI). Domains that did not resolve were excluded. "Spoofable" means no DMARC record or a policy of p=none; "at enforcement" means p=quarantine or p=reject. This is a snapshot of recognisable firms; smaller practices are likely more exposed. We have not named individual organisations. Full cross-sector data is in the UK Email Impersonation Report 2026.