Healthcare DMARC: High Coverage, Mid-Pack Enforcement, and a HIPAA Angle
Hospital systems have the highest DMARC deployment rate of any category in our study: 92% have published a record. That's above Fortune 100 companies, above federal agencies, above banks. Yet only 68% are at p=reject. The 24-point gap between deployment and enforcement matters more in healthcare than almost anywhere: a spoofed email from a health system is a direct path to patient phishing, credential theft, and HIPAA liability.
The numbers
We checked 25 of the largest US health systems by revenue in May 2026:
- 92% have a DMARC record (23/25), the highest of any category
- 68% at
p=reject(17/25) - 24% have DMARC but not at enforcement (6/25)
- 8% have no DMARC record (2/25)
Why healthcare domains are high-value spoofing targets
Patient credential theft. Health system patient portals contain insurance information, Social Security numbers, and medical records. A spoofed "your test results are ready" email from a recognizable hospital system drives portal logins to attacker-controlled pages.
Healthcare worker credential theft. Clinician credentials provide access to EHR systems with data on thousands or millions of patients. Targeted phishing at healthcare workers is a persistent attack category.
Billing fraud. Spoofed invoices appearing to come from a health system's billing department are a documented fraud vector, particularly against insurers and employers.
HIPAA breach exposure. A successful phishing attack triggered by a spoofed health system email is a potential HIPAA breach event. If patient data is accessed as a result, mandatory breach notification follows.
The 92% deployment story
Healthcare IT has HIPAA compliance culture behind it. Health system security and compliance teams are accustomed to documentation, audit requirements, and mandated controls. When "publish a DMARC record" entered the email security conversation, healthcare IT heard it and acted.
The 92% deployment rate reflects organizations that take "implement the control" seriously. The 24-point gap to enforcement reflects organizations that stopped at the first step.
The enforcement gap and its causes
The six health systems at p=none are collecting reports but not blocking spoofed mail. The structural reason is the same as at universities and large enterprises: complex, partially decentralized sending infrastructure.
A major health system sends patient communications from an EHR platform, appointment reminders from a scheduling system, billing notices from a revenue cycle vendor, employee communications from a corporate platform, and marketing from a separate CRM, all potentially using the health system's main domain. Aligning every sending source before enforcement is safe requires enumerating all of them from DMARC aggregate reports, then working through each vendor to configure authentication correctly.
The compliance culture that drove deployment isn't always sufficient to drive the follow-through.
The HIPAA connection
HIPAA doesn't explicitly require DMARC. But the connection is direct. The HHS Office for Civil Rights (OCR) examines whether organizations had reasonable technical safeguards in place when investigating breach incidents. An organization that suffered a phishing-triggered breach while sitting at p=none has a harder argument that it implemented "reasonable safeguards" for email, one of the primary phishing delivery channels.
The Security Rule requires covered entities to implement technical safeguards that protect ePHI from unauthorized access. Enforcing DMARC reduces the attack surface for phishing attacks that lead to exactly the kind of unauthorized access OCR investigates.
Health systems at p=quarantine or p=none aren't necessarily in HIPAA violation. But in a post-breach investigation, the question "why wasn't DMARC enforced?" is worth being able to answer.
Getting from deployment to enforcement
Healthcare has an advantage that universities lack: compliance culture means security recommendations carry weight. A CISO recommendation to enforce DMARC will get more traction in a health system than in a university department. The sending source audit is still required, but the organizational path to completing it is clearer.
The email authentication checker shows the current authentication posture of any domain. If your health system's domain is at p=none, the reports you're collecting already contain the information needed to start the migration to enforcement.
Full health system results are at the DMARC adoption research page. The email authentication checker shows your health system's current authentication posture.
