DMARC Fails: patients’ data exposed to phishing

by Tomas Statkus - -

Nearly all NHS domains ended up exposed to phishing attacks because the Domain-based Message Authentication Reporting & Conformance (DMARC) protocol are not protecting them.[1]


The recent report from Agari[2] provided the analysis from 40 healthcare organization in the UK and almost 5,000 NHS domains.

The new Healthcare: DMARC Adoption Report found that the protocol includes extraordinarily low take-up. The protocol is originally established to authenticate messages in order to uncover and prevent spoofing. Moreover, according to Agari:

DMARC is an email standard to solve the spoofing and phishing problem. When fully implemented, a DMARC DNS record published by the sending organization ensures that only authorized senders can send email on behalf of the organization.

The findings revealed that only 5% of all 40 Healthcare organizations analyzed actually had the DMARC protocol in place, while only 1% of the NHS domains were found with working DMARC.

When it comes to global Healthcare organizations, over three quarters (about 77%) do not include DMARC policy. In addition, while those who apply a DMARC policy, only 2% of them have an enforcement-based policy working in place.

According to the report from Agari, more than 50% of healthcare organizations’ emails that patients receive are actually fraudulent. Which proves that DMARC protocol is a must for these kinds of organizations.

The new Verizon Data Breach Investigation report also indicated that the healthcare sector is the most targeted after financial services.[3]

The version of Secure Email Requirements Specification, known as SCCI1596 was adopted by the health service in January 2017. The use of DMARC is required by all NHS organizations by the spec mandates.

Unfortunately, according to findings from Agari, despite warnings from NHS Digital, less than 10% of NHS Trust and Boards meet the security standards and as much as 99& of all studies domains do not have DMARC set up.

However, DMARC implementation is not simple and can take time, additionally, a mess of legacy NHS systems makes it even more complex and challenging.

While the UK Government mandates the use of the DMARC protocol, HSTS and HTTPS for all government departments back in 2016, the reality remains that healthcare systems do not apply the requirements.[4]

What is more, the research from late October in 2017, disclosed that 16% of local councils in the UK follows the rule.

National Cyber Security Centre provided the information that 613 .gov domains were registered with the service.



About the author

Tomas Statkus
Tomas Statkus - Team leader

Tomas Statkus is an IT specialist, the team leader, and the founder of He has worked in the IT area for over 10 years.

Contact Tomas Statkus
About the company Esolutions


now online
Like us on Facebook