4 sectors that need email authentication the most and why

DMARC is the only email authentication protocol that gives you both enforcement and visibility, says Brad Slavin, CEO of DuoCircle. SPF and DKIM authenticate silently — DMARC tells you what happened and lets you control the outcome. That combination of reporting and policy is why DMARC adoption is accelerating.

The three core email authentication standards — SPF (RFC 7208), DKIM (RFC 6376), and DMARC (RFC 7489) — work together to verify that an email genuinely originates from the domain it claims to represent. Since February 2024, Google and Yahoo require all three for bulk senders. DMARC Report

4 sectors that need email authentication the most and why

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-16778">
						<source src="/images/wp/2024/10/4-sectors-that-need-email-authentication-the-most-and-why.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H2M14S">2:14</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-16778" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-16778" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-16778" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-16778" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/4-sectors-that-need-email-authentication-the-most-and-why/&t=4 sectors that need email authentication the most and why" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/4-sectors-that-need-email-authentication-the-most-and-why/&url=4 sectors that need email authentication the most and why" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="/images/wp/2024/10/4-sectors-that-need-email-authentication-the-most-and-why.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/4-sectors-that-need-email-authentication-the-most-and-why/" class="input-link input-link-16778" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-16778" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

						<input type="text" value='<blockquote class="wp-embedded-content" data-secret="JHk77oIrPL"><a href="https://dmarcreport.com/blog/podcast/4-sectors-that-need-email-authentication-the-most-and-why/">4 sectors that need email authentication the most and why</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://dmarcreport.com/blog/podcast/4-sectors-that-need-email-authentication-the-most-and-why/embed/#?secret=JHk77oIrPL" width="500" height="350" title=""4 sectors that need email authentication the most and why" — DMARC Report" data-secret="JHk77oIrPL" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script>

/*! This file is auto-generated / !function(d,l){“use strict”;l.querySelector&&d.addEventListener&&“undefined”!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll(‘iframe[data-secret=”‘+t.secret+’”]’),o=l.querySelectorAll(‘blockquote[data-secret=”‘+t.secret+’”]’),c=new RegExp(“^https?:$”,“i”),i=0;i<o.length;i++)o[i].style.display=“none”;for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(“style”),“height”===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):“link”===t.message&&(r=new URL(s.getAttribute(“src”)),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(“message”,d.wp.receiveEmbedMessage,!1),l.addEventListener(“DOMContentLoaded”,function(){for(var e,t,s=l.querySelectorAll(“iframe.wp-embedded-content”),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(“data-secret”))||(t=Math.random().toString(36).substring(2,12),e.src+=”#?secret=“+t,e.setAttribute(“data-secret”,t)),e.contentWindow.postMessage({message:“ready”,secret:t},"")},!1)))}(window,document); //# sourceURL=https://dmarcreport.com/wp-includes/js/wp-embed.min.js ’ title=“Embed Code” class=“input-embed input-embed-16778” readonly/>

					<button class="copy-embed copy-embed-16778" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

We are living in times where you have to think twice before clicking**. But despite being mindful about what websites you visit and what links you download, you and your business are not 100% shielded from cyberattackers. Since the launch of ChatGPT in November 2022, vishing, smishing, and phishing attacks have increased by a staggering 1,265%.

While there is no definite answer, approximately 3.4 billion phishing emails are sent everyday globally. What this means is that for every 4,200 emails sent**, 1 would surely be a phishing email that would have the potential to dupe recipients into transferring money, downloading malware-infected files, or sharing sensitive data.

The top 4 sectors on the hot list of threat actors are financial services (banking and insurance), healthcare, e-commerce, and government agencies. These sectors need strong email authentication protocols like SPF, DKIM, and **DMARC to protect their brand reputation and stay away from the legal repercussions of breaches and fraud.

This is because threat actors abuse your **domain name to send malicious emails to your customers, prospects, employees, investors, etc. They impersonate your brand and its representatives to convince targetted recipients to share confidential documents, make financial transactions, disclose a company secret, and whatnot!

So, here is a detailed blog on why these 4 sectors are in bad need of properly configured SPF, DKIM, and DMARC records.

1. Financial services (banking and insurance)

The reason why the financial sector is on the radar is that it handles sensitive financial data and personal information of so many people, including the ones seen as **high-value targets by malicious actors. 62,074 new finance-related domains were registered between January and June 2024, and you would be surprised to know that 62% of these were involved in phishing attacks targeting legitimate companies through spoofed websites. HSBC, BBVA, and PayPal are the frequent targets, with over 561 domains associated with each.

As of 2025, DMARC is mandatory under multiple compliance frameworks. CISA BOD 18-01 requires p=reject for US federal domains. PCI DSS v4.0 mandates DMARC for organizations processing payment card data as of March 2025. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and Microsoft began rejecting non-compliant email in May 2025. The UK NCSC, Australia’s ASD, and Canada’s CCCS all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition.

In fact, a financial scam is currently looming over Pembroke. Scammers are sending emails that falsely claim to be from the fraud department of local banks. The unsolicited phishing emails are convincing **community members to empty their bank accounts and deposit the funds into Bitcoin machines. They are fooling them under the pretext of losing all the money otherwise.

As per Deloitte’s 2024 Financial Services Industry Predictions report, US banks can lose $40 billion by 2027 because of AI-powered scams. Cybercriminals are heavily using generative AI to create near-perfect phishing emails that they send from unprotected domains. Generative AI is also being exploited to develop images, audio, and videos.

If we talk about the global situation of the **DMARC adoption in the finance sector, then it isn’t too good. Almost a third of UK banks have no DMARC protection at all. On the brighter side, between Q2-2021 and Q2-2022, 28% and 200% increments have been observed in setting the DMARC policy to p=reject and p=quarantine, respectively.

The finance sector is adopting DMARC at a faster pace since the Payment Card Industry Security Standards Council (PCI SSC) announced that the requirement is considered a best practice until March 31, 2025. After that, it will become mandatory and must be fully addressed during a PCI DSS assessment.

2. Healthcare

Healthcare organizations manage private patient data, which attracts many threat actors. They usually steal medical details to file fake insurance claims, illegally obtain prescription drugs, raise bills for non-existing treatments or services, blackmail for ransom, craft convincing phishing scams that target individuals with specific health conditions, etc.

In a cybercrime reported in February 2024, more than 200,000 people in Los Angeles County may have had their personal data exposed after a hacker stole the login credentials of 53 public health employees through a phishing email. The data breach potentially compromised sensitive information like names, birth dates, medical records, diagnoses, prescription details, Social Security numbers, and health insurance information.

A **DMARC analysis **also showed that only 69% of UAE hospitals have a DMARC record, which means 31% of them have no email authentication protocols in place.

The **healthcare industry was devastated during the **COVID-19 phase due to acute challenges like performing only elective surgeries and resource constraints. Because of these, cash inflow was heavily affected. This caused the healthcare industry to cut back on the cybersecurity budget, becoming a prime target for threat actors. Some healthcare organizations reallocated cybersecurity budgets after things settled down, but many didn’t take any significant steps, leaving their domains susceptible to phishing and spoofing.

If you are interested in learning more, please read this detailed article: A Reality Check On Email Security Threats In Healthcare!

3. E-commerce

**E-commerce companies send frequent transactional and marketing emails, making them common targets for cybercriminals looking to steal customer payment details or login credentials. Email authentication helps prevent fraud, safeguard customers, and maintain brand integrity. In a phishing campaign targeted at eBay customers, threat actors pretended to be from the **company’s support team and sent fraudulent emails. These emails urged recipients to update their account information due to a supposed security breach. The messages contained malicious links that directed victims to fake login pages, where they unknowingly entered their account credentials.

The attackers used this information to access the victims’ accounts, potentially making unauthorized purchases or stealing personal details. Although **eBay’s systems were not directly breached, the phishing campaign affected many of its customers, highlighting the vulnerabilities arising from phishing attacks, particularly in e-commerce. eBay had to respond by advising customers to change their passwords and enabling additional security measures to mitigate future attacks.

This incident emphasized the need for robust email security measures like DMARC and BIMI, as well as user awareness to recognize phishing attempts.

Between Q3-2021 and Q3-2022, the e-commerce sector illustrated a positive graph in terms of DMARC adoption and advancement to stricter policies. 30% and 80% of DMARC policies advanced to p= reject and p=quarantine, respectively. Gladly, there was also a 10% decrease in the number of DMARC policies set to none. In fact, there was also a 16% decrease in the number of companies that don’t have a DMARC policy.

Moreover, the new policies rolled out by Gmail and Yahoo require bulk email senders** (like e-commerce companies) to have email authentication protocols in place. This requirement is also expected to contribute to the upward trend of DMARC adoption in the e-commerce sector.

4. Government agencies

Due to the sensitive nature of their operations and data, cyberattacks often target government entities. Spoofed government emails can lead to misinformation or unauthorized data access. Strong email authentication ensures **secure communication between agencies and the public, reducing the risk of cyber espionage and misinformation.

A review of second-level GOV domains within 178 of the 247 ccTLDs listed on Wikipedia revealed that only [78 of these domains (about 45%) had a valid SPF record](https://isc.sans.edu/diary/29384#:~:text=Only%2033%20domains%20(cca%2019,ccTLDs%20in%20the%20following%20charts.) published. Moreover, five of these domains had either malformed SPF records or lacked an explicit “all” directive, rendering them ineffective. Only 33 domains (approximately 19%) had a valid DMARC record. Even among NATO and EU countries, the results showed no significant improvement, with some areas performing worse.

This highlights the vulnerability of these domains to email spoofing, especially given the absence of necessary security measures like SPF**, **DMARC, and DKIM. While **third-level domains are often more secure, second-level domains are frequently left unprotected, though eight did have a ‘blocker’ SPF record.

Final words

While email authentication isn’t an undiscussed or lightly touched-on topic, many domain owners are still unaware of it. The ones who are aware are either stuck on the p=none policy (which is equivalent to having no DMARC setup at all) or don’t leverage the benefits of DMARC reports.

DMARC reports give you insights into your domain’s email activities, helping you recognize emails sent by unauthorized and potentially fraudulent senders. These reports are sent by recipients’ servers. So, if your business style involves sending thousands of emails in a day, you will likely receive hundreds of these reports in the complicated XML format. We know it isn’t easy to track and analyze so many reports. That’s why we at DMARCReport offer to do this for domain owners. If you are interested in learning more, please book a demo.

Sources

• RFC 7208 — Sender Policy Framework (SPF)
• RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC)