74% of breached healthcare domains had ineffective DMARC policies in 2025

Among the 170 healthcare organizations that reported email breaches to HHS in 2025, the most common security gap was a configuration problem, not a sophisticated attack. Paubox's 2026 Healthcare Email Security Report analyzed DMARC records and SPF configurations across all breached domains and found that 74% had DMARC policies set to "none" or had no DMARC record at all. These organizations were publishing a policy that took no action on unauthenticated email. They told receiving mail servers, in effect: deliver messages from anyone claiming to be us.

DMARC, SPF, and DKIM have been available as free email authentication standards for over a decade. The 74% figure is not a story about new threats outpacing old defenses. It is a story about defenses that exist, are well documented, and are not being applied.

What DMARC actually does, and why "none" is meaningless

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It tells receiving mail servers what to do when an inbound message claims to be from your domain but fails authentication checks. There are three policy options. "None" means take no action and deliver the message. "Quarantine" sends the message to spam or junk. "Reject" blocks the message at the receiving server.

A policy of "none" is technically a DMARC record, but it provides no enforcement. The receiving server knows the message failed authentication. It delivers anyway. For the 74% of breached healthcare organizations on "none" or no record, the result is the same: spoofed mail arrives in inboxes alongside legitimate mail, with no signal to staff or systems that the sender was unverified.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has pushed federal agencies and critical infrastructure operators to move past "none" and toward enforcement policies. Healthcare is critical infrastructure. The breach data shows healthcare is also where enforcement adoption lags.

67% also had misconfigured SPF records

DMARC is one piece. The report found that 67% of breached organizations had misconfigured or overly permissive SPF records. SPF, or Sender Policy Framework, defines which servers are authorized to send email on behalf of a domain. A correctly configured SPF record is narrow. It lists only the mail servers and services that should ever send from your domain.

When an SPF record is too broad, attackers can route spoofed mail through servers that the policy permits. SPF technically passes. Authentication looks clean to the receiving server. The message lands.

Misconfigured SPF often results from accumulation. An organization adds a third-party email service for marketing, then another for transactional mail, then another for HR. Each addition expands the SPF record. Old entries linger. Eventually the record permits more senders than the organization actually uses, and the gap is exploitable.

Phishing thrives where authentication is missing

In Paubox survey data, 68% of healthcare IT leaders said they experienced a phishing attack in the past year. Phishing is the attack type most directly enabled by missing DMARC and SPF records. Without authentication enforcement, attackers can impersonate trusted domains without triggering authentication failures at the receiving server.

IBM's Cost of a Data Breach 2025 report found phishing remained one of the most common initial attack vectors globally, averaging $4.8 million per breach. In healthcare, where email carries protected health information (PHI) and staff routinely act on messages from colleagues, vendors, and patients, the exposure is higher than the global average.

Business email compromise (BEC) sits adjacent to phishing on the same authentication weakness. The FBI's Internet Crime Complaint Center reported BEC losses topping $2.9 billion in 2023, with healthcare consistently appearing in the top three sectors targeted. BEC requires the attacker to look credible. A spoofable domain with no DMARC enforcement is the credibility shortcut.

What spoofing looks like without enforcement

A healthcare organization with a DMARC policy of "none" and a permissive SPF record is running its email domain without identity verification. Any external sender can put the organization's domain in a "From" address. The receiving server checks DMARC, finds "none," and delivers the message. The recipient sees what looks like an internal email.

For an attacker, this means phishing campaigns and BEC attempts can impersonate internal senders, finance contacts, and executives with minimal technical effort. For the organization, the cost of one successful spoof is potentially years of breach investigation, OCR reporting, patient notification, and remediation. The 74% DMARC failure rate among breached domains is not a coincidence with the 68% phishing experience rate. They describe the same weakness from two angles.

Paubox ExecProtect is patented protection against display name spoofing, included in Paubox Email Suite Plus and Email Suite Premium. ExecProtect addresses one specific spoofing vector: an attacker forging an executive's name in the display field while sending from an unrelated domain. DMARC enforcement and SPF tightening close the domain-based spoofing path. ExecProtect closes the display-name path that DMARC alone does not cover.

Fixing it is a DNS record change

Moving DMARC from "none" to "quarantine" or "reject" is a configuration update at the DNS level. Tightening SPF to list only authorized senders is the same. Neither requires new infrastructure, new vendors, or migration. The block to adoption is operational: staff time to inventory legitimate senders, test enforcement in monitoring mode, and watch DMARC reports for false positives before flipping to quarantine or reject.

The standard rollout looks like this:

• Publish a DMARC record with policy "none" and reporting addresses (rua= and ruf=).
• Collect aggregate reports for 30 to 60 days. Identify all legitimate senders and any unauthorized sources.
• Update SPF and DKIM to cover all legitimate senders. Remove stale entries.
• Move DMARC policy to "quarantine" and monitor for delivery issues.
• Move to "reject" once the quarantine state holds without false positives.

NIST Special Publication 800-177r1 covers the technical specification. The global DMARC adoption project tracks rollout best practices. Both are free.

The 74% DMARC failure rate and 67% SPF misconfiguration rate describe gaps that can be closed through planning, testing, and monitoring of existing DNS records. The cost is staff hours, not capital expense.

Authentication is the floor, not the ceiling

DMARC enforcement and tighter SPF stop one category of attack: domain spoofing. They do not stop attacks from look-alike domains, compromised legitimate accounts, or AI-generated phishing from new sender addresses. Healthcare email security needs all of those layers covered. HIPAA compliant email requires encryption, access controls, audit logging, and administrative safeguards on top of authentication.

Paubox handles authentication enforcement, encryption, and inbound AI-powered threat detection through the Paubox Email Suite product line. Every outbound email is encrypted by default. Recipients read encrypted messages directly in their inbox. There are no portals, passwords, or plugins. Inbound, AI-powered detection analyzes tone, sender behavior, and message intent to flag phishing, spoofing, and BEC that a 65%-of-the-market basic spam filter setup was never going to catch.

The breached healthcare organizations in the 2025 cohort were not failing at advanced threat detection. They were failing at authentication basics. Closing the DMARC and SPF gap is the cheapest, fastest, highest-impact move on the list.

Read the full 2026 Healthcare Email Security Report for the complete authentication analysis, M365 breach distribution, and AI adoption findings.

FAQs

What does a DMARC policy of "none" do? It tells receiving mail servers to deliver messages even when authentication fails. The policy provides reporting visibility but no enforcement.

How long does it take to move DMARC to enforcement? Most organizations spend 30 to 60 days in monitoring mode before moving to quarantine, then another monitoring window before moving to reject. The total project usually runs 60 to 120 days.

Can DMARC alone stop all email spoofing? No. DMARC stops domain spoofing. Look-alike domains, display-name spoofing, and compromised legitimate accounts require additional protection. ExecProtect and AI-powered inbound detection cover those vectors.

Are DMARC and SPF free? Yes. Both are open standards. The cost of adoption is staff time for configuration, testing, and monitoring.