Government and Healthcare Are the Weakest Links in Global Email Security


Government and Healthcare Are the Weakest Links in Global Email Security

Pierluigi Paganini
July 03, 2026

Government and healthcare sectors have weak email security. Many domains lack SPF, DMARC, DKIM, and MTA-STS, leaving them open to phishing attacks.

Comparitech analyzed live DNS records for 5,849 domains across 13 sectors and scored each one out of 8 points based on four standard email authentication protocols: SPF, DMARC, DKIM, and MTA-STS. The results aren’t flattering. More than 8 percent of organizations had zero protection in place, and only 0.6 percent — 33 domains out of 5,849 — scored full marks. That’s 33 organizations out of nearly 6,000 doing everything right.

Government came last, with an average score of 2.73 out of 8.

“121 out of the 452 domains we scanned had zero protections in place (27%)–the highest of all sectors.” reads the report published by Comparitech. “No government domains scored full marks, but three did score 7.5 – Australia’s national science agency (CSIRO), the Mila – Quebec Artificial Intelligence Institute in Canada, and The Alan Turing Institute in the UK (also dedicated to data science and artificial intelligence).”

China’s government domains averaged just 0.9, with 65 percent having no protection at all. France wasn’t far behind at 1.4 average and 47 percent unprotected. The UK and US were the best performers in the sector, but even 17 percent of US government domains had zero protection — despite a Department of Homeland Security mandate requiring DMARC on all federal email domains.

Healthcare providers ranked second-worst at 3.43.

“85 out of the 438 domains we scanned had zero protections in place (19%) — the second highest of all sectors.” continues the report. “Four domains scored full points. Three of these were part of the UK’s NHS (NHS Blood and TransplantManchester University NHS Foundation Trust, and University Hospitals Birmingham NHS Foundation Trust), and one was the Dutch cancer specialist, Prinses Máxima Centrum.”

Chinese healthcare provider domains averaged 2.1, with 45 percent fully unprotected. The Netherlands was the outlier in healthcare, averaging 6.0 with zero unprotected domains — and four domains there scored perfect marks, including three NHS trusts in the UK and a Dutch cancer center.

Universities showed an interesting failure mode. Nearly 86 percent had a DMARC record in place, which sounds good. But 42 percent of those had left DMARC in monitoring-only mode, which means phishing emails pass straight through without being blocked or quarantined. Setting up DMARC and never enforcing it is roughly equivalent to installing a lock and leaving the key in it.

Technology companies led the field with an average score of 4.83, and only 2 percent of their domains had zero protection. Only two domains in the entire study scored perfect 8/8 across all sectors: microsoft.com and f5.com. On the country side,

“Asian countries/territories had the lowest average scores, with China (2.3), South Korea (2.84), Hong Kong (3.07), and Japan (3.53) ranking among the lowest. The European countries of France (3.77), Germany (3.8), and Spain (3.98) also scored poorly.” states Comparitech.”Among the highest-scoring countries were the Netherlands (5.51), Denmark (5.33), Norway (5.31), and Finland (5.19).”

The Nordic pattern isn’t accidental: GDPR creates pressure toward stronger data protection practices, and it shows in the scores.

MTA-STS, the protocol that enforces encrypted connections for email transfer, is almost universally ignored. Only 3 percent of all domains in the study had it in place. SPF was present on 90 percent of domains and DMARC on 81 percent, but having a record in place and enforcing it are different things: a DMARC policy set to p=none does nothing to stop a phishing email from landing in someone’s inbox.

“Our report highlights how each and every industry and country has room for improvement when it comes to email security. This is even the case within sectors and/or countries where email security is regulated to some degree.” concludes the report.

“Equally, certain sectors within specific countries face heavier regulation. For example, in the US, the Department of Homeland Security (DHS) mandates that DMARC should be in use on all government agency email domains. And, in the UK, the Government Digital Service (GDS) requires DMARC across governmental domains, and with p=reject (hard fail)”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Email Security)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


One of the worst things about the explosion of AI tools is how much more advanced scam calls have become. It’s now entirely possible to get fake calls with voices that sound exactly like people you know. The June Android drop is here to address this (and add some other goodies).

Fake Call Detection

When scammers impersonate your contacts

1. Call spoofing diagram Credit: Google

The aforementioned voice duping is only one part of the scamming process. If the call comes from an unknown number, you’re far more likely to ignore it. That’s why scammers can also make their calls appear to be coming from numbers you trust.

Fake Call Detection is a new feature in the Phone by Google app that pops up an alert when a caller is suspected of impersonating your contacts. The alert says, “This may not be [Name]” and gives you the option to immediately hang up.

Google Photos is your new wardrobe

Digitally store and try on clothes

You may not know it, but there’s an entire category of apps dedicated to allowing people to catalog their wardrobes. Now, Google Photos is hoping to get in on it with a new “Wardrobe” collection.

First, you snap photos of your clothes and let Google Photos neatly put them on a white background. From there, everything can be categorized by item. You can then tap “Create” and put outfits together, which you can digitally try on. It’s a pretty cool feature that many apps charge a fee for.


Personal safety features expand to kids

13 and under

Google is making the Personal Safety app for Pixel phones available to kids under 13. Features include the ability to display medical information, setting emergency contacts on the lock screen, and car crash detection. In addition, kids over 13 can now use Safety Check and real-time sharing with emergency contacts.

“Catch me up” in Google Play Books

Recaps of what you’ve read

Remember Google Play Books? The company’s often overlooked eBook platform is getting a new feature to help you catch up when you haven’t read a book in a while. It works pretty much how you’d expect—AI summarizes what’s happened up until your current position in the book. It’s also possible to highlight text and ask questions about what you’re reading. These features are part of the new “Book Insights” button.

Quick Share 🤝 AirDrop

Now works with more devices

Last year, Google announced that the Pixel 10 series could share content with Apple’s AirDrop through Quick Share. Since then, it has very slowly expanded the functionality to more phones. Now, once again, the company is announcing even more devices.

The previous list was the Pixel 10 series, Galaxy S26 series, Oppo Find X9 series, Find N6, and Vivo X300 Ultra. New entries include the Galaxy S25 series, S24 series, Z Flip 7, Z Fold 7, Z Flip 6, Z Fold 6, Z TriFold, OPPO Find X8 series, OnePlus 15, HONOR Magic V6, and Magic8 Pro.

Keep your eyes peeled for these features to be rolling out to Android devices and the accompanying apps over the next few days and weeks.

Source: Google



Source link