French banking institutions lead the country with a strict DMARC deployment rate of 63.3%. However, 100.0% of analyzed financial institutions lack functional MTA-STS records. Additionally, 7.6% of these highly targeted organizations have no DMARC record at all, while 8.9% sit at p=none and 20.2% use p=quarantine. Only 12.7% have enabled DNSSEC (leaving 87.3% disabled).
Official state domains show strong basic setup with 97.2% correct SPF parameters and 16.9% DNSSEC enablement. However, actual policy escalation is slow: only 26.8% have advanced to p=reject, while 32.4% remain at p=none, 22.5% use p=quarantine, and 17.6% lack DMARC altogether. Only 0.7% have adopted MTA-STS.
Healthcare is the absolute national sector leader in DNSSEC adoption, with 32.4% enabled. However, the industry is heavily exposed to spoofing, with 40.2% of healthcare providers lingering at passive p=none, 25.5% at p=quarantine, 12.7% lacking DMARC completely, and only 17.7% at p=reject. Only 3.9% have valid MTA-STS implementation.
Academic networks exhibit the highest national reliance on passive monitoring, with 52.4% of institutions stagnant at p=none. Coupled with only 11.1% enforcing a strict p=reject policy and 13.7% lacking DMARC entirely, academic research databases, intellectual property, and student identities remain highly exposed. Only 9.5% have enabled DNSSEC and 1.1% utilize MTA-STS.
Critical infrastructure shows solid initial baselines with 97.0% SPF alignment and 34.2% p=reject enforcement. However, with 27.4% remaining on passive p=none policies, 12.2% lacking DMARC entirely, and 96.3% completely lacking MTA-STS encryption (only 3.7% valid), energy grids and logistics communications remain vulnerable to transit interception. DNSSEC adoption stands at 27.4%.
While newsrooms lead the nation in MTA-STS deployment (5.6% valid), their overall identity defense remains low. With 38.3% of media outlets relying on passive p=none, 20.4% at p=quarantine, and 14.8% missing DMARC protection altogether, bad actors can easily forge trusted media voices. Only 14.2% have DNSSEC enabled and 26.5% enforce p=reject.
French telecom operators present a sector low in foundational configurations, with an 11.1% error rate on SPF setups and a low 8.9% DNSSEC adoption rate. Furthermore, a heavy 40.0% reliance on passive p=none monitoring, 28.9% on p=quarantine, and only 2.2% MTA-STS adoption makes major carrier domains easy targets for subscription-focused scams. Only 22.2% actively enforce p=reject.
Logistics providers showcase solid active enforcement with a 37.9% p=reject rate. However, 31.1% remain stuck at monitoring-only, 11.7% lack DMARC, and 97.2% lack MTA-STS transport-layer encryption (only 2.8% valid). DNSSEC stands at 18.6%, leaving transit channels open to interception.