United Kingdom DMARC & MTA-STS Adoption Report 2026

PowerDMARC took on a challenge to analyze where the UK stands in terms of email authentication practices in 2026. The result is a report that studies the country’s adoption of DMARC, SPF, MTA-STS, and DNSSEC across the nation, sector-by-sector, and in the global context. 875 UK domains, 22 pages, with information that more than 50% of the country needs to be safe from costly and immediate security breaches.

This gains increasing relevance due to the fact that the UK National Cyber Security Centre (NCSC) officially retired its Mail Check and Web Check services on March 31, 2026. Now businesses and organizations are shifting towards private tools like PowerDMARC for the implementation and enforcement of authentication protocols. 

Our report reveals a nation that is only partially ready, with gaps that can be easily exploited by attackers. Organizations have checked the “authentication” box (SPF) but have largely ignored the “encryption” (MTA-STS) and “integrity” (DNSSEC) layers.

Here is a brief look at some of the findings of PowerDMARC’s United Kingdom DMARC & MTA-STS Adoption Report 2026. You can get even more in-depth information in the full report.

The UK’s National Snapshot: A Tale of Two Defenses

Let’s get an idea of how the UK fares as a whole before we move to the different industries and their analysis.

UK SPF

SPF Correctness – 93.7%

UK DMARC

DMARC Adoption – 86.4%

DMARC p=reject – 44.1%

UK MTA-STS

MTA-STS Adoption – 20.6%

No MTA-STS – 79.4%

MTA-STS Testing – 4.5%

MTA-STS Enforce – 16.1%

BIMI Logo

DNSSEC Adoption – 3.8%

Start 15-day trial

1. Banking & Finance: The Secure Perimeter with Open Tunnels

UK’s best-performing sector still leaves more than 95% of financial email transit unencrypted, just one downgrade attack away from exposing SWIFT confirmations

Metric Adoption Rate
SPF Correctness 93.5%
DMARC p=reject 61.3%
MTA-STS Adoption 4.8%
Banking SPF Adoption UK

❌ The Critical Risk: Interception of High-Value Transactions.

High enforcement does not protect UK banks during transport through unencrypted paths. Recent data shows payment fraud and scams stole over £629.3 million in the first half of 2025 alone, often initiated by manipulated email communications.

✅ The PowerDMARC Fix:

With Hosted MTA-STS, we force all financial email transit into encrypted TLS 1.2+ channels, materially reducing the risk of “Downgrade Attacks” where criminals strip away encryption to read sensitive bank-client communications in transit.

2. Government: Leading by Mandate, Failing by Identity Oversight

The government leads in MTA-STS adoption, but is that enough? More than 60% of email communication still travels unsecured.

Metric Adoption Rate
SPF Correctness 94.8%
DMARC p=reject 57.1%
MTA-STS Adoption 39.9%
Government DMARC Adoption UK

❌ The Critical Risk: Citizen Impersonation & PII Leaks.

Numbers show that serious efforts, like the NCSC mandates, have pushed email authentication as a necessity, but there is still a lot that needs to be done. The 2024 Ministry of Defence data breach, which compromised the payroll data of 272,000 personnel, highlights how vulnerable public sector infrastructure remains to identity-based exploitation. 

✅ The PowerDMARC Fix:

Our platform automates the journey to p=reject for government subdomains, ensuring they meet the highest security baselines without the risk of breaking critical citizen communication flows.

3. Healthcare: HIPAA-Level Risks on UK Soil

Two-thirds of UK healthcare providers cannot stop a spoofed email, and with 13.2% having no DMARC record at all, patient data is one phishing link away from a breach.

Metric Adoption Rate
DMARC p=reject 34.0%
No DMARC Record 13.2%
MTA-STS Adoption 9.4%
Healthcare MTA-STS Adoption UK

❌ The Critical Risk: Protected Health Information (PHI) Data Leaks.

Healthcare remains a prime target for ransomware groups like Qilin, which recently targeted the NHS and leaked 400GB of private data. With low DMARC enforcement and near-zero DNSSEC, attackers can easily forge hospital credentials to deliver malware or access sensitive medical records.

✅ The PowerDMARC Fix:

We provide a managed path to full DMARC and MTA-STS enforcement, ensuring every outbound medical record is encrypted and every official health notice is verified.

Book a demo

4. Transport & Logistics: The Supply Chain’s Unprotected Gateway

UK transport networks are an open invitation for fraud, holding the highest “No-DMARC” rate in the country.

Metric Adoption Rate
DMARC p=reject 32.8%
No DMARC Record 26.7%
MTA-STS Adoption 6.2%

❌ The Critical Risk: Invoice Hijacking & Service Disruption.

The 2024 cyber attack on Transport for London (TfL), which compromised the financial data of 5,000 customers, proves that transit systems are high-value targets. Attackers use spoofed “Critical Equipment Alerts” or fake manifests to bridge the gap between the corporate inbox and physical logistics.

✅ The PowerDMARC Fix:

We optimize complex SPF records to stay within DNS lookup limits and enforce strict DMARC policies to secure logistics channels against invoice fraud.

5. Education: The Intellectual Property Harvesting Field

UK universities have the lowest DMARC enforcement in the nation despite about 91% of higher education institutions reporting a cyber breach in 2025.

Metric Adoption Rate
SPF Correctness 94.6%
DMARC p=reject 23.9%
No DMARC Record 4.3%
Education SPF Adoption UK

❌ The Critical Risk: Research & Login Harvesting.

Low DMARC enforcement (23.9%) allows attackers to forge university logins, gaining access to multi-million-pound research databases and student financial records.

✅ The PowerDMARC Fix:

We help universities manage thousands of departmental subdomains from one dashboard, slashing successful phishing attempts across the entire campus.

6. Media: The Disinformation Amplifier

Newsrooms fight fake news, but their own email domains remain vulnerable to spoofed bylines and deepfake distribution.

Metric Adoption Rate
SPF Correctness 98.4%
MTA-STS Adoption 1.6%
DNSSEC Adoption 1.6%
BIMI Logo

❌ The Critical Risk: Source Identity Theft & Deepfake Fraud.

While Media has high SPF correctness, it has near-zero MTA-STS and DNSSEC adoption. This means journalists’ communications are visible to those monitoring the network, and their credentials can be spoofed to plant deepfake stories or trick employees into fraudulent transfers.

✅ The PowerDMARC Fix:

We move media domains to p=reject, ensuring that only verified staff can send mail, preserving brand trust in an era of AI-driven info-wars.

Start 15-day trial

7. Telecommunications: Subscriber Scam Magnet

Telecom carriers secure the network but not the inbox, giving scammers a free pass to send fake billing alerts to millions of subscribers.

Metric Adoption Rate
SPF Correctness 91.0%
DMARC p=reject 32.8%
No DMARC Record 11.9%
BIMI Logo

❌ The Critical Risk: Billing Fraud & Account Takeovers.

High “No-DMARC” rates along with incorrect DMARC configuration allow scammers to send fake billing alerts that look legitimate, tricking users into revealing the 2FA codes required for SIM-swapping or identity theft.

✅ The PowerDMARC Fix:

Our platform enforces p=reject across carrier domains and hosts MTA-STS to secure automated billing flows, making it impossible for scammers to use the carrier’s own name against its subscribers.

Under the Hood: Four Structural Weaknesses

The p=none Implementation Gap

18.9% of UK domains have DMARC but lack enforcement.

Expert insight:

“A DMARC policy set to p=none only provides reporting and visibility into spoofing attempts, without blocking them. While the high adoption rate in the United Kingdom is encouraging, shifting to a DMARC policy of p=reject is necessary to actively prevent unauthorized email use.”

Maitham Al Lawati, CEO, PowerDMARC

Expert insight:

“The 10-lookup limit is a hard ceiling in DNS. Without SPF optimization techniques like flattening or Macros to compress these records, growing your digital stack inevitably breaks your email deliverability.”

Yunes Tarada, Service Delivery Manager, PowerDMARC

SPF Complexity at Scale

6.3% of UK domains face critical misconfigurations, often due to the “10-lookup limit”.

MTA-STS: The Encryption Deficit

79.4% of UK domains have a total control gap regarding transport security.

Expert insight:

“Standard email encryption (STARTTLS) is opportunistic. MTA-STS is a way to enforce the transport lock. With nearly all UK traffic exposed, it’s trivial for an attacker to strip away encryption and read sensitive corporate communications in transit.”

Ayan Bhuiya, Operations & Delivery Shift Lead, PowerDMARC

Expert insight:

“DNSSEC acts as the guardian of your digital identity. It’s no longer just an IT protocol; it’s a fundamental layer of brand reputation management. A single DNS hijacking incident can shatter brand trust in seconds.”

Ahona Rudra, Marketing Manager, PowerDMARC

DNSSEC: The Weak Foundation

Enabled on just 3.8% of UK domains.

Contact us

Global Benchmarking: U.K. in Context

This table compares the United Kingdom’s standing in critical security protocols with countries like the United States, Norway, and Japan.

CountrySPF CorrectDMARC (p=reject)MTA-STSDNSSEC
United States 🇺🇸95.7%49.0%1.7%18.0%
Australia 🇦🇺92.3%46.7%5.8%6.8%
United Kingdom 🇬🇧93.7%44.1%20.6%3.8%
Norway 🇳🇴85.2%29.0%2.8%45.6%
Italy 🇮🇹91.0%16.7%1.0%3.5%
Saudi Arabia 🇸🇦80.6%18.4%0.2%11.9%
Japan 🇯🇵95.0%9.2%0.5%16.4%
Nigeria 🇳🇬70.3%14.2%0.0%8.2%

Key Insights from the Official Reports

❗The Enforcement Gap

UK boasts high SFP adoption, but only less than half of its domains actively protect against spoofed emails.

UK’s Standout MTA-STS

In comparison to other countries, the UK has a high MTA-STS adoption rate, important for transit protection. This can be credited to strict NCSC guidelines.

DNSSEC Adoption

UK lags behind most countries in DNSSEC adoption, making it exposed to DNS hijacking and cache poisoning attacks.

The “Compliance Trap”

Despite having more organizations hosting DMARC records, their position still remains passive by not being at p=reject. This simply means monitoring and not protection.

Conclusion: From Metrics to Action

The United Kingdom DMARC & MTA-STS Adoption Report 2026 sheds light on the fact that the UK has established a strong technical foundation, but it has yet to fully bridge the gap between passive monitoring and active transport enforcement.

You cannot afford to wait for the next NCSC warning or a catastrophic Business Email Compromise (BEC) incident to move from monitoring to protection. PowerDMARC bridges this “Implementation Gap” by providing:

Automated Enforcement Paths: Safely migrating FTSE 100 companies and SMEs alike from p=none to p=reject without blocking critical business communications or departmental mail flow.

Infrastructure Simplification: Overcoming the “10-lookup limit” with SPF optimization, hosting MTA-STS to close the 79.4% encryption gap, and validating DNSSEC records in a single, cloud-native dashboard.

Regulatory Readiness: Supporting compliance with GDPR, UK Cyber Essentials, and PCI-DSS 4.0 by simplifying anti-phishing protection and securing sensitive email communications.

Book a demo Contact us

PowerDMARC Perspective

“The UK is currently a primary target for AI-driven phishing and invoice fraud. While British IT teams are excellent at publishing foundational records, they are often paralyzed by the fear of blocking legitimate mail. In 2026, a ‘monitoring-only’ posture is essentially a surrender to sophisticated spoofing. The move to active defense isn’t just a security upgrade; it is essential for protection against breaches that target the heart of the UK’s digital economy.”

PowerDMARC Team

Turn Visibility into Defense Today

UK adoption rates show that the foundation is ready; now it’s time to flip the switch. In a landscape where AI can spoof an executive’s tone perfectly, relying on “visibility” alone is not enough.

Don’t let your domain remain an “Unprotected Frontier.” Move from passive monitoring to active protection before the next wave of coordinated attacks hits your industry.

Contact PowerDMARC to start your journey to enforcement.

Start 15-day trial Book a demo