We scanned 22k UK domains. Only 10.1% can block impersonation.
A baseline analysis of DNS authentication across Britain's public and commercial email namespace.
Domains analyzed
Missing DMARC
At p=reject
Average score
01
Executive summary
The United Kingdom has the most mature public-sector email authentication posture in the English-speaking world. The Government Digital Service (GDS), through its gov.uk secure email programme and the National Cyber Security Centre’s Active Cyber Defence mandate, has required DMARC enforcement on central government domains since 2016. Our analysis of 22,116 UK-hosted domains confirms that discipline, but also surfaces a commercial namespace that lags the US and sits far below what the public-sector leaders would suggest.
The public-sector leader cohort is exceptional. UK Government domains average 73.1 out of 100, the highest sector score we have observed in any country report. Education follows at 52.6, Nonprofit at 50.0, E-commerce at 47.5. Below that floor, the commercial tail collapses: Technology averages 23.3 and Media just 11.7. Across the full population, 65.4% of UK domains publish no DMARC record at all, leaving their users susceptible to direct domain spoofing, phishing, and business email compromise (BEC).
02
Methodology
Data was collected using the Authex Global Scanner framework during April 2026. The dataset comprises 22,116 active UK-hosted domains. Geographic targeting combined MX record IP geolocation, WHOIS registration records, and ccTLD filtering across the .uk namespace (including .co.uk, .gov.uk, .ac.uk, and .org.uk). Sector classification was derived from enrichment metadata: HTML page analysis, MX patterns, and known registrant categories. All scans were non-intrusive DNS queries (SPF, DKIM, DMARC, BIMI, MTA-STS, TLS-RPT).
Authex Scanner · N=22,116
03
Snapshot
04
Analysis
The Whitehall benchmark
UK central and local government is the one vertical in this series that has decisively crossed the enforcement threshold. 56.5% of .gov.uk domains publish p=reject and a further 33.7% publish p=quarantine, for a combined enforcement rate of 90.2%. Only 5.4% remain without DMARC. This is not an accidental outcome. It reflects the GDS secure email standard, the NCSC Mail Check service that has tracked government DMARC since 2017, and the Cabinet Office’s treatment of email authentication as mandatory baseline rather than discretionary hardening.
Chart 01 · Sector posture breakdown
Average Authex security score by major economic sector (0–100 scale).
A respectable institutional middle
Beneath government, the UK carries a second cohort that performs significantly better than commercial averages elsewhere in the series. Education, anchored by .ac.uk domains and Jisc-operated infrastructure, averages 52.6. Nonprofit, a sector dominated by .org.uk charities, averages 50.0. E-commerce, covering the large British retail namespace, averages 47.5. These verticals have not matched Whitehall’s enforcement rates, but they do demonstrate rudimentary policy protection at materially higher rates than their US counterparts. The institutional half of the UK namespace is genuinely ahead of its peers.
Chart 02 · DMARC policy distribution
DMARC policy distribution across the UK namespace (N=22,116).
Media is the outlier
The UK Media sector average of 11.7 is the lowest single-sector score in this series to date. It sits 61 points below UK Government inside the same ccTLD. 84.3% of UK media domains publish no DMARC record, and only 1.9% enforce at p=reject. The consequence is direct. Newsroom staff, freelance journalists, and commercial advertising contacts on these domains can be impersonated with no perimeter check on inbound receiving servers, and no telemetry to the domain owner that the impersonation occurred. For an industry whose commercial product is the attributable byline, the unauthenticated email channel is a structural liability.
The long commercial tail
Because our methodology relies exclusively on public DNS record retrieval, we cannot observe raw email volume or blocked attacks. What we can observe is the configuration state of the commercial majority. Technology averages 23.3 and carries 65.6% of its domains without DMARC. The unclassified commercial long tail, which accounts for the bulk of the remaining namespace, behaves similarly. The UK pattern is therefore a sharp bimodal distribution: a regulated and state-mandated cohort operating at world-leading enforcement rates, and a mid-to-small commercial population that has yet to deploy the baseline. The binding constraint on UK email security is not the public sector. It is the SME.
05
Vanguards
Domains leading by example. Explicit, verified enforcement at the perimeter.
06
Cite this
Authex publishes empirical country and sector benchmarks on email authentication adoption. We scan millions of domains across the open Internet to urge the industry towards strict enforcement.
Reference
Authex (2026). UK Email Security 2026.
Retrieved from https://authexlabs.com/research/uk-2026Related reports
Public sector leads. Where does yours stand?
UK government runs at 90.2% enforcement. Commercial domains lag sharply. Run a free scan to see which half of the bimodal distribution you sit in.