United Kingdom DMARC & MTA-STS Adoption Report 2026

We at PowerDMARC analyzed the email authentication posture across 875 UK-based domains. The findings suggest a nation in a state of “partial readiness,” a precarious position given that the UK National Cyber Security Centre (NCSC) is officially retiring its Mail Check and Web Check services by March 31, 2026.

This marks a seismic shift in the UK’s cyber landscape. For years, organizations have relied on these centralized tools for monitoring. Now, the NCSC is shifting full responsibility for DMARC implementation and enforcement directly to individual organizations. With the safety net of Mail Check disappearing, the gap between having a record and actually enforcing it is no longer just a technical oversight; it is a compliance and security emergency.

For a deeper dive into how your organization can navigate this transition and maintain visibility, read our guide: NCSC Mail Check Changes For The UK Public Sector.

The following analysis reveals a landscape where organizations have checked the “authentication” box (SPF) but have largely ignored the “encryption” (MTA-STS) and “integrity” (DNSSEC) layers.

Report Request - UK DMARC Adoption

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Name*

The UK’s National Snapshot: A Tale of Two Defenses

Before diving into the specific sectors, here is the overall security posture for the United Kingdom across all 875 domains analyzed.

UK SPF

SPF Correctness – 93.7%

UK DMARC

DMARC Adoption – 86.4%

DMARC p=reject – 44.1%

UK MTA-STS

MTA-STS Adoption – 20.6%

No MTA-STS – 79.4%

MTA-STS Testing – 4.5%

MTA-STS Enforce – 16.1%

BIMI Logo

DNSSEC Adoption – 3.8%

Start 15-day trial

1. Banking & Finance: The Secure Perimeter with Open Tunnels

UK banks lead the nation in enforcement, yet a critical transport gap leaves trillions in wire transfers vulnerable to interception.

Metric Adoption Rate
SPF Correctness 93.5%
DMARC p=reject 61.3%
No DMARC Record 0.0%
MTA-STS Adoption 4.8%
DNSSEC Adoption 11.3%
Banking SPF Adoption UK

The Critical Risk: Interception of High-Value Transactions.

While UK banks have the highest enforcement rate (61.3%), the 95.2% gap in MTA-STS is catastrophic, with only 1.6% in testing mode and 3.2% in enforce mode. Without transport security, sensitive SWIFT confirmation emails travel via unencrypted paths. Recent data shows payment fraud and scams stole over £629.3 million in the first half of 2025 alone, often initiated by manipulated email communications.

The PowerDMARC Fix:

With Hosted MTA-STS, we force all financial email transit into encrypted TLS 1.2+ channels, materially reducing the risk of “Downgrade Attacks” where criminals strip away encryption to read sensitive bank-client communications in transit.

2. Government: Leading by Mandate, Failing by Identity Oversight

The UK public sector shows the nation’s highest encryption rates, yet 1 in 8 departments still lacks a foundational DMARC record.

Metric Adoption Rate
SPF Correctness 94.8%
DMARC p=reject 57.1%
No DMARC Record 12.2%
MTA-STS Adoption 39.9%
DNSSEC Adoption 2.6%
Government DMARC Adoption UK

The Critical Risk: Citizen Impersonation & PII Leaks.

Government domains are the clear leaders in MTA-STS adoption (39.9%), driven by NCSC mandates; 7.6% are in testing mode, and 32.4% in enforce mode. However, with 12.2% lacking any DMARC record, and another 42.9% failing to reach p=reject, the identity layer remains porous. The 2024 Ministry of Defence data breach, which compromised the payroll data of 272,000 personnel, highlights how vulnerable public sector infrastructure can be to identity-based exploitation.

The PowerDMARC Fix:

Our platform automates the journey to p=reject for government subdomains, ensuring they meet the highest security baselines without the risk of breaking critical citizen communication flows.

3. Healthcare: HIPAA-Level Risks on UK Soil

Patient trust is at stake, as only 1 in 3 healthcare providers can actively stop a spoofed email from reaching a patient.

Metric Adoption Rate
SPF Correctness 92.5%
DMARC p=reject 34.0%
No DMARC Record 13.2%
MTA-STS Adoption 9.4%
DNSSEC Adoption 1.9%
Healthcare MTA-STS Adoption UK

The Critical Risk: Protected Health Information (PHI) Data Leaks.

Healthcare remains a prime target for ransomware groups like Qilin, which recently targeted the NHS and leaked 400GB of private data. With low DMARC enforcement (34.0%) and near-zero DNSSEC (1.9%), attackers can easily forge hospital credentials to deliver malware or trick staff into revealing sensitive medical records.

The PowerDMARC Fix:

We provide a managed path to full DMARC and MTA-STS enforcement, ensuring every outbound medical record is encrypted and every official health notice is verified.

Book a demo

4. Transport & Logistics: The Supply Chain’s Unprotected Gateway

UK transport networks are an open invitation for fraud, holding the highest “No-DMARC” rate in the country.

Metric Adoption Rate
SPF Correctness 91.3%
DMARC p=reject 32.8%
No DMARC Record 26.7%
MTA-STS Adoption 6.2%
DNSSEC Adoption 2.6%

The Critical Risk: Invoice Hijacking & Service Disruption.

The transport sector is critically exposed, with over 26% of domains lacking DMARC entirely. The 2024 cyber attack on Transport for London (TfL), which compromised the financial data of 5,000 customers, proves that transit systems are high-value targets. Attackers use spoofed “Critical Equipment Alerts” or fake manifests to bridge the gap between the corporate inbox and physical logistics.

The PowerDMARC Fix:

We optimize complex SPF records to stay within DNS lookup limits and enforce strict DMARC policies to secure logistics channels against invoice fraud.

5. Education: The Intellectual Property Harvesting Field

Academic campuses are high-value targets for IP theft, yet they maintain the lowest enforcement rates in the UK.

Metric Adoption Rate
SPF Correctness 94.6%
DMARC p=reject 23.9%
No DMARC Record 4.3%
MTA-STS Adoption 17.4%
DNSSEC Adoption 4.3%
Education SPF Adoption UK

The Critical Risk: Research & Login Harvesting.

A staggering 91% of UK higher education institutions identified a cyber breach in 2025. Low DMARC enforcement (23.9%) allows attackers to forge university logins, gaining access to multi-million-pound research databases and student financial records.

The PowerDMARC Fix:

We help universities manage thousands of departmental subdomains from one dashboard, slashing successful phishing attempts across the entire campus.

6. Media: The Disinformation Amplifier

Newsrooms fight fake news, but their own email domains remain vulnerable to spoofed bylines and deepfake distribution.

Metric Adoption Rate
SPF Correctness 98.4%
DMARC p=reject 41.3%
No DMARC Record 3.2%
MTA-STS Adoption 1.6%
DNSSEC Adoption 1.6%
BIMI Logo

The Critical Risk: Source Identity Theft & Deepfake Fraud.

While Media has high SPF correctness (98.4%), it has near-zero MTA-STS and DNSSEC adoption. This means journalists’ communications are visible to those monitoring the network, and their names can be spoofed to plant deepfake stories or trick employees into fraudulent transfers.

The PowerDMARC Fix:

We move media domains to p=reject, ensuring that only verified staff can send mail, preserving brand trust in an era of AI-driven info-wars.

Start 15-day trial

7. Telecommunications: Subscriber Scam Magnet

Carriers guard their networks but leave their inboxes open, fueling billing fraud and SIM-swap epidemics.

Metric Adoption Rate
SPF Correctness 91.0%
DMARC p=reject 32.8%
No DMARC Record 11.9%
MTA-STS Adoption 9.0%
DNSSEC Adoption 9.0%
BIMI Logo

The Critical Risk: Billing Fraud & Account Takeovers.

High “No-DMARC” rates (11.9%) allow scammers to send fake billing alerts that look legitimate, tricking users into revealing the 2FA codes required for SIM-swapping or identity theft.

The PowerDMARC Fix:

Our platform enforces p=reject across carrier domains and hosts MTA-STS to secure automated billing flows, making it impossible for scammers to use the carrier’s own name against its subscribers.

Under the Hood: Four Structural Weaknesses

The p=none Implementation Gap

18.9% of UK domains have DMARC but lack enforcement.

Expert insight:

“A DMARC policy set to p=none only provides reporting and visibility into spoofing attempts, without blocking them. While the high adoption rate in the United Kingdom is encouraging, shifting to a DMARC policy of p=reject is necessary to actively prevent unauthorized email use.”

Maitham Al Lawati, CEO, PowerDMARC

Expert insight:

“The 10-lookup limit is a hard ceiling in DNS. Without SPF optimization techniques like flattening or Macros to compress these records, growing your digital stack inevitably breaks your email deliverability.”

Yunes Tarada, Service Delivery Manager, PowerDMARC

SPF Complexity at Scale

6.3% of UK domains face critical misconfigurations, often due to the “10-lookup limit”.

MTA-STS: The Encryption Deficit

79.4% of UK domains have a total control gap regarding transport security.

Expert insight:

“Standard email encryption (STARTTLS) is opportunistic. MTA-STS is a way to enforce the transport lock. With nearly all UK traffic exposed, it’s trivial for an attacker to strip away encryption and read sensitive corporate communications in transit.”

Ayan Bhuiya, Operations & Delivery Shift Lead, PowerDMARC

Expert insight:

“DNSSEC acts as the guardian of your digital identity. It’s no longer just an IT protocol; it’s a fundamental layer of brand reputation management. A single DNS hijacking incident can shatter brand trust in seconds.”

Ahona Rudra, Marketing Manager, PowerDMARC

DNSSEC: The Weak Foundation

Enabled on just 3.8% of UK domains.

Contact us

Global Benchmarking: U.K. in Context

This table compares critical security protocols: SPF Correctness (valid records), DMARC Enforcement (p=reject), MTA-STS Adoption (transport encryption), and DNSSEC Enabled.

CountrySPF CorrectDMARC (p=reject)MTA-STSDNSSEC
United States 🇺🇸95.7%49.0%1.7%18.0%
Australia 🇦🇺92.3%46.7%5.8%6.8%
United Kingdom 🇬🇧93.7%44.1%20.6%3.8%
Norway 🇳🇴85.2%29.0%2.8%45.6%
Italy 🇮🇹91.0%16.7%1.0%3.5%
Saudi Arabia 🇸🇦80.6%18.4%0.2%11.9%
Japan 🇯🇵95.0%9.2%0.5%16.4%
Nigeria 🇳🇬70.3%14.2%0.0%8.2%

Key Insights from the Official Reports

The Enforcement Gap

While SPF adoption is universally high (averaging above 90% in developed nations), the shift from “monitoring” (p=none) to “enforcement” (p=reject) remains the biggest hurdle. Japan, for instance, has a high SPF (95%) but suffers from a massive enforcement gap, with only 9.2% of domains actively blocking spoofed emails.

UK’s Standout MTA-STS

The United Kingdom shows an unusually high MTA-STS adoption rate (20.6%) compared to the global average (typically <2%). this is largely attributed to strict ncsc (national cyber security centre) guidelines that have pushed for transport layer across government and critical infrastructure sectors.

DNSSEC Adoption

Norway and the United States lead in DNSSEC adoption, particularly within government and financial sectors, reflecting a higher priority on preventing DNS hijacking and cache poisoning attacks in those regions.

The “Compliance Trap”

PowerDMARC highlights that many organizations remain at p=none indefinitely. In the Saudi Arabia 2025 report, for example, numerous organizations with DMARC are still in “passive” mode, leaving them vulnerable to impersonation despite having a record.

Conclusion: From Metrics to Action

The data is clear: The United Kingdom has established a strong technical foundation, but it has yet to fully bridge the gap between passive monitoring and active transport enforcement. While SPF is nearly ubiquitous (93.7%) and DMARC adoption is high (86.4%), the failure of more than half the nation to reach full enforcement (p=reject) and the widespread lack of DNSSEC integrity (96.2% gap) remains a billion-pound vulnerability.

UK organizations cannot afford to wait for the next NCSC warning or a catastrophic Business Email Compromise (BEC) incident to move from monitoring to protection. PowerDMARC bridges this “Implementation Gap” by providing:

Automated Enforcement Paths: Safely migrating FTSE 100 companies and SMEs alike from p=none to p=reject without blocking critical business communications or departmental mail flow.

Infrastructure Simplification: Overcoming the “10-lookup limit” with SPF optimization, hosting MTA-STS to close the 79.4% encryption gap, and validating DNSSEC records in a single, cloud-native dashboard.

Regulatory Readiness: Supporting compliance with GDPR, UK Cyber Essentials, and PCI-DSS 4.0 by simplifying anti-phishing protection and securing sensitive email communications.

Book a demo Contact us

PowerDMARC Perspective

“The UK is currently a primary target for AI-driven phishing and invoice fraud. While British IT teams are excellent at publishing foundational records, they are often paralyzed by the fear of blocking legitimate mail. In 2026, a ‘monitoring-only’ posture is essentially a surrender to sophisticated spoofing. The move to active defense isn’t just a security upgrade; it is essential for protection against breaches that target the heart of the UK’s digital economy.”

PowerDMARC Team

Turn Visibility into Defense Today

UK adoption rates show that the foundation is ready; now it’s time to flip the switch. In a landscape where AI can spoof an executive’s tone perfectly, relying on “visibility” alone is not enough.

Don’t let your domain remain an “Unprotected Frontier.” Move from passive monitoring to active protection before the next wave of coordinated attacks hits your industry.

Contact PowerDMARC to start your journey to enforcement.

Start 15-day trial Book a demo