A new report from Paubox makes the connection between weak email authentication and real-world healthcare breaches impossible to ignore: of 170 email-related breaches at healthcare organizations analyzed across all of 2025, 74% involved domains with DMARC set to monitoring-only mode or no DMARC record at all.
That is not a coincidence. It is a causal chain. And the broader sector data confirms it: the United States healthcare industry sits at just 11% DMARC enforcement in 2026, a figure that looks even more alarming alongside Q1 2026’s count of 120 ransomware attacks on hospitals, clinics, and other healthcare providers, plus 81 additional attacks on healthcare-adjacent businesses like billing processors and pharmaceutical manufacturers.
Healthcare is one of the highest-value targets for email-borne attacks in every category: patient data commands premium prices on criminal markets, ransomware attackers know that downtime in care settings creates leverage that boards cannot easily refuse, and phishing campaigns impersonating healthcare brands target both employees and patients. Yet the sector’s authentication defenses are among the weakest of any regulated industry.
What the Paubox Data Found
Paubox’s 2026 Healthcare Email Security Report examined 170 email-related breaches reported to HHS between January and December 2025. The findings across that breach set are stark.
74% of breached organizations had DMARC set to p=none (monitoring only) or had no DMARC record whatsoever. Both configurations deliver the same outcome: spoofed email claiming to be from the organization’s domain reaches inboxes without any authentication check stopping it.
67% of breached organizations had misconfigured or overly permissive SPF records. An overly broad SPF record can authorize unauthorized senders alongside legitimate ones, undermining the entire authentication chain.
Not one breached organization enforced MTA-STS, the protocol that prevents downgrade attacks on encrypted mail transport. Every organization in the breach set was relying on opportunistic encryption that an attacker positioned between mail servers could silently strip.
53% of breached organizations used Microsoft 365 as their primary email platform, up from 43% in 2024. That concentration reflects Microsoft 365’s market share in healthcare, but it also means that misconfigurations in how Microsoft 365 handles outbound DKIM signing and DMARC alignment are propagating broadly across the sector.
41% of breached organizations fell into the highest-risk authentication category based on their combined authentication and encryption posture, up from 31% the prior year.
The Sector Comparison That Should Alarm Healthcare Leadership
US healthcare’s 11% DMARC enforcement rate becomes more troubling when placed against other industries.
The US federal government sits at 92% DMARC enforcement. The gap comes from a direct mandate: the Department of Homeland Security’s Binding Operational Directive 18-01 required federal agencies to implement DMARC at enforcement within a defined timeframe. Where regulators require it, adoption happens.
Financial services runs at approximately 60% DMARC enforcement, driven by PCI DSS requirements, consumer protection regulation, and direct scrutiny from the FDIC and OCC on third-party risk. The sector’s financial incentives align with security: fraud losses from spoofed domains hit the bottom line directly.
Norwegian healthcare has reached 55.6% at p=reject. Norway’s GDPR implementation and NIS2 obligations, combined with sector-specific regulatory pressure, produced enforcement rates in healthcare that US organizations operating under HIPAA alone cannot currently approach.
The US healthcare gap is not primarily a technical problem. DMARC implementation follows the same steps for a hospital as for any other domain. The problem is that HIPAA does not currently require it, and without a mandate, complex operational environments and competing IT priorities keep organizations stuck at p=none indefinitely.
Why Healthcare Email Environments Are Genuinely Complex
The 11% figure does not reflect indifference. Healthcare email environments are among the most complicated in any industry, and that complexity makes DMARC enforcement harder than it sounds.
A mid-size hospital system typically sends email from its corporate Microsoft 365 or Google Workspace tenant, its electronic health records platform (Epic, Cerner, Oracle Health, and others all dispatch notifications under the organization’s domain name), its patient portal system, its lab results notification service, appointment reminder platforms, billing communications tools, and a long list of business associates and vendors who communicate with patients on the organization’s behalf.
Every one of those systems is a potential sending source. Every one needs to be covered by the organization’s SPF record or configured to sign with DKIM using the organization’s domain, or both. Moving to p=reject without having identified and authenticated every one of those paths risks blocking legitimate patient communications: appointment reminders, lab results, billing statements.
This complexity is real. But it is also exactly what aggregate DMARC reporting is designed to surface. The data exists in RUA reports the moment a p=none record is published. The problem is that most healthcare organizations publish that monitoring record, never systematically review the reports, and never proceed to enforcement.
What Attackers Do With a p=none Healthcare Domain
A healthcare domain at p=none is a ready-made spoofing platform. An attacker wanting to send credential-harvesting phishing to a hospital’s employees can craft messages with a From: address using the hospital’s exact domain. The messages may pass SPF if the attacker uses a registered sending service, or fail SPF and still be delivered because p=none tells receiving servers to deliver regardless. DMARC enforcement never fires.
The same attack targets patients directly: billing fraud campaigns that spoof the hospital’s domain to demand payment redirects, password reset phishing impersonating the patient portal, appointment confirmation fraud that harvests personal health information.
Business email compromise in healthcare is particularly damaging because wire transfers tied to medical billing, vendor payments, and insurance settlements can be substantial. 64% of healthcare IT professionals surveyed in 2026 consider their organizations vulnerable to BEC or phishing spoofing. 67% report that phishing and BEC have negatively impacted patient care quality.
Those two statistics belong together. Spoofing attacks do not stay confined to financial systems. When attackers compromise credentials through a phishing email, they gain access to clinical systems. When ransomware enters through a phishing campaign and encrypts clinical systems, scheduled surgeries are postponed, emergency departments divert patients, and care decisions get made without access to complete records.
The Path from Exposed to Enforced
The path from p=none to p=reject in healthcare follows the same phases as any other domain. The healthcare-specific considerations make some phases more time-intensive, but none of the steps are fundamentally different.
Establish a sending inventory. Before changing any policy, identify every system that sends email with the organization’s domain in the From: header. This means EHR platforms, patient portals, lab systems, appointment systems, billing platforms, and every business associate communication channel. Aggregate DMARC reports (RUA) will show traffic from each sending source with SPF and DKIM alignment status.
Authenticate each source. For internally controlled systems, configure DKIM signing with the organization’s domain. For third-party vendors, work with each vendor to confirm DKIM signing is enabled and aligned. This phase takes the most time in healthcare: the vendor count is large, and some legacy platforms do not support DKIM signing at all, requiring a subdomain strategy.
Move to quarantine, then reject. Once RUA data shows consistent authentication from all known sources, move to p=quarantine. Monitor for two to four weeks. If no unexpected legitimate sources surface, move to p=reject. At that point, spoofed email claiming to be from the organization’s domain is rejected at the receiving server before it reaches any inbox.
Add MTA-STS. Given that not one breached organization in the Paubox study enforced MTA-STS, adding it to the enforcement checklist matters alongside DMARC. MTA-STS prevents a class of man-in-the-middle attacks on email transport that operate silently and do not appear in DMARC aggregate reports.
Realistic timelines range from three months for smaller organizations with simpler environments to twelve months for large hospital systems with dozens of third-party communication platforms. Neither timeline is short. Both are shorter than the next breach.
Ready to see every source sending as your organization’s domain? Excello Mail parses your DMARC aggregate reports, surfaces every sending source with SPF and DKIM alignment status, and gives you the visibility you need to move from p=none to p=reject without disrupting patient communications. Sign up for free to Excello Mail and take the first step toward closing healthcare’s authentication gap.