56% of UK Domains Still Vulnerable to Email Spoofing

The United Kingdom stands at a seismic shift in its cyber landscape. As the digital backbone of a global financial hub, the UK’s reliance on secure communication has never been higher.

However, a critical deadline looms: the NCSC is officially retiring its Mail Check and Web Check services by March 31, 2026. This transition shifts the full responsibility for DMARC enforcement directly onto individual organizations, removing a long-standing national safety net.

According to PowerDMARC’s new United Kingdom DMARC & MTA-STS Adoption Report 2026, the nation is in a state of “partial readiness.” While British organizations have been diligent in checking the “authentication” box, they have largely ignored the encryption and integrity layers required to thwart modern, AI-driven phishing attacks. The data reveals that the gap between simply having a record and actually enforcing it has become a national security emergency.

Key Insights at a Glance

• SPF Correctness: A strong foundation with 93.7% correct implementation, showing high technical literacy across the 875 domains analyzed. While it is great to see that most UK organizations have set up SPF correctly, it’s worth noting that “correct” doesn’t always mean safe or secure; it can be correct but still be too broad or easily bypassed. These organizations can use a free SPF record checker to ensure their SPF records are not only correct but also secure.
• DMARC Enforcement: Only 44.1% of domains have reached the gold standard of p=reject, meaning more than half the country remains vulnerable to active spoofing. It’s an open invitation for scammers to send emails that look like they’re coming from your official domain, which makes it hard for customers and partners to understand which messages are really from you and which ones are from scammers.
• MTA-STS Adoption: A standout 20.6% adoption rate, significantly higher than the global average, driven by NCSC mandates, yet leaving nearly 80% of mail traffic exposed to interception.
• DNSSEC: A critical weak point, enabled on just 3.8% of domains, leaving the vast majority of UK organizations at risk of DNS hijacking and cache poisoning.
• The Sector Gap: While Banking & Finance leads in enforcement (61.3% p=reject), the Transport & Logistics sector is the most exposed, with over 26% of domains lacking any DMARC record entirely. This can create a “soft target” for attackers who exploit these less-defended supply chains to intercept high-value shipment data.

Key takeaway: 18.9% of UK domains use a p=none policy. This provides visibility but offers zero protection, creating a false sense of security while attackers continue to spoof official identities to initiate fraudulent transfers or steal sensitive PII.

How PowerDMARC Supports UK Organizations

PowerDMARC provides a streamlined, automated path to securing the nation’s email channels ahead of the NCSC Mail Check retirement:

• Automated DMARC Enforcement: Safely migrating organizations from p=none to p=reject without blocking critical business communications or departmental mail flow.
• SPF Macros Optimization: Overcoming the “10-lookup limit” that frequently breaks deliverability for large organizations with complex digital stacks. In simple terms, once your list of third-party senders gets too long, your SPF record breaks, and emails start bouncing. PowerDMARC uses macros to “flatten” these records, so that your email gets through no matter how many cloud tools your team adds to the pile.
• Hosted MTA-STS: Closing the encryption gap with a single click to force all email transit into encrypted TLS 1.2+ channels, preventing “Downgrade Attacks.” By hosting the policy for you, PowerDMARC handles the complex web server and certificate maintenance, so that your communications stay private without your IT team having to do all the job by itself.
• Regulatory Readiness: Simplifying compliance with GDPR, UK Cyber Essentials, and PCI-DSS 4.0 by automating anti-phishing protocols.

UK organizations can contact PowerDMARC to turn their visibility into a shield, ensuring their digital reputation is protected in an era of sophisticated, AI-generated fraud.

About PowerDMARC

PowerDMARC is a leading email authentication and domain protection platform, offering comprehensive solutions including DMARC, SPF, DKIM, BIMI, MTA-STS, TLS-RPT, and hosted reporting with AI-powered threat intelligence. The platform secures email ecosystems for over 10,000 organizations across more than 100 countries. PowerDMARC is MSP/MSSP-ready and holds SOC 2 Type 2, ISO 27001, and GDPR compliance certifications.