FTSE 250 DMARC report: 39% of the UK's top companies still don't block spoofed email

Red Sift analysed the DMARC records of all 250 constituents of the FTSE 250, the index of the UK's largest mid-cap listed companies. 152 of them (60.8%) have reached full DMARC enforcement at p=reject. The other 98 haven't. That's 39% of the UK's largest mid-caps still leaving room for someone to send email that looks like it came from them.

The headline number is better than what we've seen in the United States. Red Sift's regional US series found DMARC enforcement rates of 35% in the Northeast, 44% in the Mid-Atlantic, 40% in the Southwest, 36% in the Heartland, and 41% in the North Central states. The FTSE 250 is ahead. But ahead of a low bar is still a long way from finished.

• 152 of 250 FTSE 250 organisations (60.8%) have reached DMARC enforcement at p=reject
• 47 organisations (18.8%) run p=none policies that monitor traffic but take no action against spoofed email
• 33 organisations (13.2%) sit at p=quarantine, sending suspicious messages to spam rather than blocking them outright
• 18 organisations (7.2%) have no DMARC record published at all
• 98 of the UK's largest mid-cap companies (39.2%) are not yet at full enforcement

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the email authentication standard that tells receiving mail servers what to do when a message fails SPF or DKIM checks. There are three policy levels:

• p=none is monitoring only. The domain owner gets reports, but unauthenticated mail still gets delivered.
• p=quarantine sends suspicious mail to spam.
• p=reject blocks unauthenticated mail outright, before it reaches the inbox.

Only p=reject provides full protection against spoofing. Anything less is partial.

Across the 250 FTSE 250 domains analysed, the distribution is heavily weighted toward enforcement, which is the good news. The bad news is the long tail. Nearly one in five FTSE 250 companies has set up DMARC but stopped at p=none, which is the equivalent of installing a CCTV camera and then never reviewing the footage. Another 13% sit at p=quarantine, close to full protection but not quite there. And 18 organisations, including household names, haven't published a DMARC record at all.

The FTSE 100 gets most of the security headlines. Banks, oil majors, and pharmaceutical giants have full security teams, board-level cyber risk oversight, and the budget to match. The FTSE 250 is different.

The 250 mid-cap constituents include housebuilders, regional retailers, fund managers, defence suppliers, food producers, and consumer brands that send millions of transactional emails a year. They're large enough to be high-value impersonation targets and small enough that security teams are often stretched thin. The gap between FTSE 100 maturity and FTSE 250 maturity is where attackers operate.

That's what makes the 60.8% enforcement rate interesting. It's well above what we've seen in regional US datasets, but those samples include public sector and smaller organisations. One trend points to UK mid-caps generally taking DMARC more seriously than their US equivalents, likely driven by:

1. NCSC guidance. The UK National Cyber Security Centre (NCSC) has recommended DMARC at p=reject for years and made it a default expectation for public sector domains via the Active Cyber Defence programme from 2016 onwards. Private sector security teams take their cue from the same playbook.
2. Mailbox provider pressure. Google, Yahoo, and Microsoft's bulk sender requirements from 2024 affect anyone sending to consumers in those ecosystems. Mid-cap consumer brands felt that pressure first.
3. Supply chain demands. Many FTSE 250 companies sit in the supply chain of FTSE 100 customers who increasingly require DMARC as part of vendor assurance.

Even with that progress, 39% of the index not blocking spoofed email is the more interesting number. These are organisations with proper security teams, audit committees, and disclosure obligations. The gap isn't capability. It's prioritisation.

This is the largest non-enforcement category. These are companies that have done the hardest part. They've published a DMARC record, set up reporting, and (in most cases) configured SPF and DKIM for their main sending sources. They've just never finished the job.

Moving from p=none to p=reject is where DMARC projects stall. The reason is operational, not technical. To safely enforce, you need to know every legitimate service sending mail on your behalf, configure each one to authenticate properly, and confirm nothing breaks when you flip the policy. For a mid-cap enterprise with marketing automation, HR systems, payroll providers, CRM platforms, and third-party support tools all sending email, that visibility is hard to achieve manually.

Organisations stuck at p=none are getting reports they don't have time to read. They're paying for a control they're not using. And they're presenting the same attack surface as organisations with no DMARC at all, because attackers don't care about the policy. They care about whether their spoofed mail gets through.

p=quarantine is the most defensible partial position. Suspicious mail goes to spam, which means most users never see it. But "most" isn't "all", and enterprise spam filters are inconsistent. A spoofed invoice that lands in junk for one recipient might land in the inbox for another, depending on the mailbox provider, the user's settings, and the reputation of the sending IP.

Quarantine is also where attackers test their delivery. If a campaign can land in spam folders consistently, it can be iterated to improve inbox placement. Reject closes that door entirely.

The 33 FTSE 250 companies at quarantine are typically a project decision away from enforcement. They've done the work to validate their senders. They just haven't taken the final step.

This is the most concerning category, and it cuts across sectors. The 18 include companies in housebuilding, retail, hospitality, food production, and industrial manufacturing. Several are consumer-facing brands that send transactional email to millions of UK customers.

Without a DMARC record, there's no policy for receiving mail servers to apply. Anyone can send email claiming to be from these domains, and there's no signal to the receiver that the message is unauthorised. SPF and DKIM may be in place, but without DMARC tying them together with a published policy, neither standard actually prevents spoofing.

For consumer-facing brands, this is also a brand protection issue. UK consumers receive phishing emails impersonating these organisations every day. Some of those emails get through. Some convert.

Three things have changed in the last 18 months that make the 39% gap more expensive than it used to be.

Mailbox provider enforcement. Google, Yahoo, and Microsoft now require DMARC for bulk senders. Marketing email from domains without a valid DMARC record is increasingly going to spam or bouncing. The cost of doing nothing isn't theoretical. It's measured in deliverability and pipeline.

Regulatory expansion. NIS2 applies to UK organisations operating in the EU. The UK's forthcoming Cyber Security and Resilience Bill, announced in the July 2024 King's Speech, is expected to expand the scope of regulated entities and tighten reporting requirements. Email authentication is foundational to both.

BEC losses. The FBI's IC3 reported $3 billion in business email compromise losses in 2025 globally. UK Finance figures put authorised push payment fraud, of which BEC is a major component, at £459 million in 2023. DMARC at p=reject is the single most effective control for stopping the impersonation step that makes BEC work.

For the 98 FTSE 250 organisations not yet at p=reject, the path forward is clear:

1. Check your current setup. Use free tools, including Red Sift Investigate to check your current DMARC, DKIM, SPF setup and more.
2. Audit your current sending. Use DMARC aggregate reports to map every service sending email on your behalf. Most mid-cap enterprises discover 30 to 60 services they didn't know about.
3. Authenticate every legitimate source. Configure SPF and DKIM for each, and tighten alignment.
4. Watch the reports. Confirm that authenticated mail passes and unauthenticated mail is visible. Resolve any failures.
5. Move to p=quarantine, then p=reject.p=quarantine, then p=reject. Phased rollouts reduce the risk of breaking legitimate mail.

The tooling has matured. What used to be a six-to-twelve month project now takes six to eight weeks with the right platform.

Red Sift OnDMARC automates the discovery, configuration, and ongoing monitoring needed to reach and stay at enforcement. Dynamic SPF flattens lookup chains automatically. The reporting dashboard surfaces issues by sending source. And continuous monitoring catches drift the moment a new service is added.

Methodology: Red Sift analysed published DNS records for the 250 domains belonging to FTSE 250 constituent companies as of May 2026. Records checked include SPF, DKIM, and DMARC. Policy classification is based on the p= value in the published DMARC record. Organisations without a published DMARC record are categorised as N/A. Where a domain published a DMARC record but no valid policy could be retrieved, the record is classified as policy not found.