Many Healthcare Organizations Use DMARC But Fail to Implement It Effectively


Healthcare organizations can use DMARC, the Domain-based Message Authentication, Reporting and Conformance Standard, to detect and prevent email spoofing, but only a few healthcare organizations are currently using DMARC, according to email authentication vendor Valimail.

DMARC works by making sure that a domain is only used by authorized senders of messages. Without DMARC, hackers can send an email by putting a company’s domain in the From field when sending an email. Employees attending security awareness programs are trained not to click hyperlinks or open attachments in emails that came from unknown senders. But, if an email seems to have come from a known contact, they are much more likely to click links and open email attachments.

According to research by Cofense, over 91% of cyberattacks start with a phishing email and most successful phishing attacks involve impersonation. Hence, the lack of controls to prevent email impersonation leaves companies vulnerable to phishing attacks.

DMARC is an effective anti-phishing tool. It creates a record for a domain and checks all the messages that use the domain. If the sender is an authenticated user of the domain, the email will be delivered. If not, it will be recorded and the receiving server will block delivery of the message. Depending on the control level set, the message could be delivered to the spam folder or it will be blocked.

Valimail studied the domains of 928 healthcare companies with annual revenues of over $300 million. Only 121 companies or 13% adopted DMARC to protect their domains from email spoofing. When DMARC is implemented, many healthcare companies set permissive controls, hence they are alerted to email impersonation attacks but the email messages are not blocked. Only 1.7% of healthcare organizations have set their controls to reject emails from unauthorized senders.

More healthcare companies (60%) use the Sender Policy Framework (SPF) standard. SPF is also effective but it only validates the return-path field.  It cannot prevent email impersonation attacks and does not evaluate an organization’s domain inputted in the email’s From field.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

More healthcare organizations are adopting DMARC but implementation is a challenge. Only large healthcare organizations typically implement DMARC to secure their email channel, according to Valimail.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: