Introduction
A recent comprehensive analysis of 5,849 domains across 13 sectors has delivered a stark warning to the cybersecurity community: Government and Healthcare entities remain the weakest links in global email security infrastructure. The study highlights a critical failure in implementing basic email authentication protocols—SPF, DMARC, DKIM, and MTA-STS.
For defenders, this is not merely a statistic; it is an active exploitation surface. In 2026, threat actors continue to leverage these configuration gaps to conduct sophisticated Business Email Compromise (BEC) and social engineering campaigns. The absence of these protocols allows attackers to spoof trusted domains with impunity, bypassing standard gateway filters and delivering malicious payloads directly to user inboxes. This post provides a technical breakdown of these failures, detection logic for inbound threats, and immediate remediation steps.
Technical Analysis
Affected Sectors and Scope
The analysis scrutinized live DNS records for 5,849 domains. Government and Healthcare sectors scored consistently lowest on an 8-point scale based on the implementation of four core protocols. This systemic weakness suggests a reliance on legacy perimeter defenses that fail to authenticate the source of email traffic.
Core Protocols and Failure Modes
-
SPF (Sender Policy Framework): The first line of defense. It specifies which mail servers are authorized to send email on behalf of a domain. Failure Impact: Without SPF, any mail server on the internet can send mail claiming to be from the target domain.
-
DKIM (DomainKeys Identified Mail): Uses cryptographic signatures to verify that an email was not altered in transit. Failure Impact: Ensures integrity; without it, attackers can modify the content of legitimate emails or sign malicious ones if the domain is compromised.
-
DMARC (Domain-based Message Authentication, Reporting, and Conformance): Ties SPF and DKIM together, telling receiving servers what to do if authentication fails (e.g., reject or quarantine). Failure Impact: The most critical gap. Without DMARC, SPF and DKIM failures are often ignored, allowing spoofed emails to land in inboxes.
-
MTA-STS (Mail Transfer Agent Strict Transport Security): Enables encryption for SMTP (TLS). Failure Impact: Without MTA-STS, attackers can perform a Man-in-the-Middle (MITM) downgrade attack, stripping TLS encryption to intercept or modify email content in transit.
Exploitation Status
While not a specific software vulnerability, the lack of these protocols is a configuration vulnerability that is actively exploited in the wild. Threat actors actively scan for domains lacking p=reject or p=quarantine in DMARC records to select targets for "CEO Fraud" and invoice phishing campaigns. The barrier to entry for these attacks is negligible, requiring no zero-day exploits—only a lack of defensive posture.
Detection & Response
The following detection rules and queries are designed to identify the symptoms of this weakness: inbound emails that fail authentication checks (spoofed mail) or internal systems attempting to send mail illegitimately.
SIGMA Rules
---
title: Potential Email Spoofing Inbound - Authentication Failure
id: 8a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects inbound emails where SPF or DMARC authentication fails, indicative of spoofing attempts against weak domains.
references:
- https://dmarc.org/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.initial_access
- attack.t1566.001
logsource:
product: email
category: authentication_failure
detection:
selection:
SPF|contains:
- 'fail'
- 'softfail'
DMARC|contains:
- 'fail'
condition: selection
falsepositives:
- Misconfigured mailing lists
- Legitimate forwarding services not listed in SPF
level: medium
---
title: Unauthorized SMTP Traffic from Endpoint
id: 9b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects processes on endpoints attempting to connect to external SMTP ports (25/587) commonly associated with spam tools or data exfiltration.
references:
- https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.exfiltration
- attack.t1071.003
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort:
- 25
- 587
- 465
Initiated: 'true'
filter:
Image|contains:
- '\Outlook.exe'
- '\thunderbird.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\edge.exe'
condition: selection and not filter
falsepositives:
- Legitimate mail clients not in filter list
- Local testing by IT staff
level: high
KQL (Microsoft Sentinel / Defender)
This query hunts for emails received by the organization where the sender's domain failed DMARC validation.
EmailEvents
| where Timestamp > ago(7d)
| project Timestamp, Subject, SenderFromAddress, RecipientEmailAddress, AuthenticationDetails
| extend DMARC = extract("$.dmarc", tostring(AuthenticationDetails), typeof(string))
| extend SPF = extract("$.spf", tostring(AuthenticationDetails), typeof(string))
| where isnotnull(DMARC) and (DMARC contains "fail" or SPF contains "fail")
| summarize count() by SenderFromAddress, Subject, DMARC, SPF
| order by count_ desc
Velociraptor VQL
This artifact hunts for suspicious command-line usage of common tools used to send unauthorized emails from endpoints.
-- Hunt for tools used to send email directly from endpoints (bypassing MSA)
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE CommandLine =~ 'smtplib'
OR CommandLine =~ 'Send-MailMessage'
OR Name =~ 'swaks.exe'
OR CommandLine =~ '--data' AND CommandLine =~ '--to'
Remediation Script (PowerShell)
This script audits a list of critical domains to check for the presence of SPF, DMARC, DKIM, and MTA-STS records. Run this regularly to monitor posture.
# Requires DNS Server role or Resolve-DnsName cmdlet
param(
[string[]]$TargetDomains = @("example-gov.gov", "example-health.org")
)
foreach ($domain in $TargetDomains) {
Write-Host "[+] Auditing Domain: $domain" -ForegroundColor Cyan
# Check SPF (TXT record starting with v=spf1)
try {
$spf = Resolve-DnsName -Name $domain -Type TXT -ErrorAction Stop |
Where-Object { $_.Strings -match '^v=spf1' }
if ($spf) { Write-Host " [+] SPF Found: $($spf.Strings)" -ForegroundColor Green }
else { Write-Host " [-] SPF MISSING" -ForegroundColor Red }
} catch { Write-Host " [-] SPF MISSING (Lookup Failed)" -ForegroundColor Red }
# Check DMARC (_dmarc.domain.com)
try {
$dmarcDomain = "_dmarc.$domain"
$dmarc = Resolve-DnsName -Name $dmarcDomain -Type TXT -ErrorAction Stop |
Where-Object { $_.Strings -match '^v=DMARC1' }
if ($dmarc) {
$policy = ($dmarc.Strings | Select-String "p=(none|quarantine|reject)").Matches.Value
if ($policy -eq "p=reject") { Write-Host " [+] DMARC Found (Enforced): $($dmarc.Strings)" -ForegroundColor Green }
else { Write-Host " [!] DMARC Found (Monitor Mode/Low): $($dmarc.Strings)" -ForegroundColor Yellow }
}
else { Write-Host " [-] DMARC MISSING" -ForegroundColor Red }
} catch { Write-Host " [-] DMARC MISSING (Lookup Failed)" -ForegroundColor Red }
# Check MTA-STS (_mta-sts.domain.com)
try {
$mtsDns = "_mta-sts.$domain"
$mts = Resolve-DnsName -Name $mtsDns -Type TXT -ErrorAction Stop |
Where-Object { $_.Strings -match '^v=STSv1' }
if ($mts) { Write-Host " [+] MTA-STS DNS Record Found" -ForegroundColor Green }
else { Write-Host " [-] MTA-STS MISSING" -ForegroundColor Red }
} catch { Write-Host " [-] MTA-STS MISSING (Lookup Failed)" -ForegroundColor Red }
Write-Host ""
}
Remediation
To address the vulnerabilities identified in this report, organizations in the Government and Healthcare sectors must immediately implement the following:
-
Implement SPF: Create a strict SPF record that explicitly lists all authorized IP addresses and third-party senders. Avoid using
+all(softfail) or~all; aim for-all(fail) once legitimate senders are identified. -
Deploy DMARC: Publish a DMARC policy at
_dmarc.yourdomain.com.- Start with
p=noneto monitor traffic. - Analyze aggregate (RUA) and forensic (RUF) reports.
- Move to
p=quarantineand finallyp=rejectto block spoofed mail entirely.
- Start with
-
Enable DKIM: Sign all outgoing emails with cryptographic keys. Publish the public key in your DNS records. This ensures message integrity.
-
Enforce MTA-STS:
- Publish the DNS TXT record
_mta-sts.domain.com. - Host the
mta-sts.txtpolicy file on a web server (supports TLS reporting). - This prevents attackers from downgrading SMTP connections to unencrypted cleartext.
- Publish the DNS TXT record
-
Continuous Monitoring: Subscribe to services that scan your domains daily and alert you if records are removed or altered (e.g., via "Domain Drift" detection).
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.