UK MSP DMARC Audit: Q2 2026

This report grades 192 UK-based Managed Service Providers (MSPs) on the ShieldMarc Security Grade: a single letter from A+ to F that rolls up 15 externally observable checks across email authentication, transport security, DNS integrity and registration hygiene. Every domain was confirmed to have a live MX record. The dataset is the same cohort of providers audited in Q1 2026, re-scanned at the end of Q2.

The average UK MSP scores a C.The mean score is 70 / 100 and the median is 70.5; C is also the single most common grade, held by 39% of providers. Only 6% of UK MSPs earn an A or A+, while 22% sit in the at-risk D–F band. In other words, the typical provider has done the basics — published DMARC and moved partway to enforcement — but stops short of the configuration that separates a solid grade from a strong one.

What separates the grades is clear and consistent. Every A and A+ provider is at p=reject and has transport-layer security in place. The B band is full of providers with strong DMARC but no MTA-STS or DNSSEC, which caps them below A. The modal C provider is typically sitting at p=quarantine with no transport hardening at all. And the D–F band is defined by the absence of real enforcement: 32 of the 42 at-risk providers publish only p=none or no DMARC record.

The sector-wide ceiling is transport and infrastructure security. Across all 192 providers, MTA-STS and TLS-RPT each sit at just 18% and DNSSEC at 15% — which is precisely why only 6% reach an A. DMARC enforcement, by contrast, is approaching saturation: 76% of MSPs are at quarantine or reject.

The audit was conducted at the end of Q2 2026 by running all 192 primary domains through the ShieldMarc Security Grade engine (our Domain Trust Rating, or DTR, methodology), the same engine that powers our free Security Grade tool. Only public DNS records, RDAP registration data and the public TLS certificate were queried. No emails were sent, no systems were accessed, and no vulnerability testing was performed.

How the grade is calculated

Each domain is scored 0–100 across 15 checks and that score is mapped to a letter grade. The thresholds are:

Under the bonnet the 15 checks are organised into four cumulative tiers — Foundation, Hardened, Enforced and Resilient — each building on the one below. The letter grade reflects how far up that ladder a domain has climbed and how completely. The How the Grade Is Built section breaks the tiers down. Two checks are surfaced but never affect the grade: certificate expiry and domain-registration expiry, both of which are time-sensitive operational concerns covered by dedicated monitors. DKIM is left unknown in a point-in-time scan because it cannot be confirmed without sending or receiving mail.

A note on methodology change from Q1

The Q1 2026 audit used a bespoke 0–100 DMARC scoring model with a brand-domain-protection penalty. From Q2 onwards we grade on the unified Security Grade instead, because it scores the whole email-security surface (not just DMARC) on a single, easy-to-communicate A+–F scale, and because it is the same grade an MSP sees when they run their own domain through our free tool. Because the two models differ, absolute Q1 scores and Q2 grades are not directly comparable. The quarter-on-quarter section therefore compares only model-independent configuration facts (DMARC policy, SPF qualifier, reporting), which are tracked consistently across both editions.

The full distribution across the 192 providers is shown below. The average, median and most common grade is all the same: a C.

Read cumulatively: 6% of UK MSPs earn an A or A+, 39% reach a B or better, and 61% land at C or below. The single largest group, 39%, scores a C, and 22% fall into the at-risk D–F band. There is a long, thin tail of excellence (12 providers at A/A+) and a thick middle that has done the groundwork but not the hardening.

The grade bands map cleanly onto specific configuration decisions, so any MSP can see exactly what is keeping it where it is.

• A / A+ (12 providers, 6%) — enforcement plus transport security. Every single A and A+ provider is at p=reject with reporting in place. What lifts them above the B band is the transport and DNS layer: all five A+ providers publish MTA-STS, TLS-RPT and DNSSEC together. This is the rarest combination in the sample.
• B / B+ (63 providers, 33%) — strong DMARC, missing hardening. These providers have largely reached p=reject (51 of 63) and near-universal reporting, but only 12 of the 63 have both MTA-STS and TLS-RPT. The absence of transport security is the single most common reason a strong-DMARC domain is capped at B rather than A.
• C (75 providers, 39%) — enforcement-lite, no hardening. The modal grade. 57 of the 75 are sitting at p=quarantine rather than reject, almost none have transport security, and a handful are missing reporting. They are one or two changes away from a B.
• D / F (42 providers, 22%) — no real enforcement. The at-risk band is defined by the absence of enforcement: 32 publish only p=none and 7 have no DMARC record at all. Many also lack a reporting tag. These are the domains an attacker can most readily spoof today.

The throughline is that DMARC enforcement gets a provider into the B–C range, but only transport and DNS hardening — MTA-STS, TLS-RPT and DNSSEC — carries them into the A range. That hardening is exactly where the sector is weakest.

The 15 checks are grouped into four cumulative tiers, each of which must be completed before the next counts. This is the structure the grade rolls up, and it is a useful second lens on where the sector loses ground.

A striking structural finding sits in the Foundation tier. Because each tier is gated, a single missing check holds a domain out of it regardless of how strong the rest of its configuration is. 25 providers publish DMARC, SPF and a valid SSL certificate but omit the aggregate-reporting (rua=) tag, which holds them out of the Foundation tier and, in most cases, drags their grade down to a C or D. Adding a single DNS line would both restore that visibility and lift the grade.

At the other end, only one provider in the entire sample — a single MSP — reached the Resilient tier. The constraint is the transport and DNS layer: the checks for MTA-STS, TLS-RPT and DNSSEC are the gate almost no one clears.

DMARC adoption among UK MSPs is high: 185 of 192 (96%) publish a DMARC record, and 76% are at an enforcement policy of quarantine or reject. This compares favourably with broader benchmarks: Red Sift's analysis of 73.3 million domains found only 14.9% with any DMARC policy and roughly 2.5% at p=reject^[1].

On the supporting controls, 87% configure aggregate reporting (rua), 59% publish an SPF record ending in hard fail (-all) and a further 35% in soft fail (~all), and 98% serve a valid SSL certificate. The weak link among the basics is reporting: the 13% without a rua tag are flying blind on who is sending as their domain, and as the tier analysis showed, that single omission is enough to pull an otherwise-capable domain down a grade.

Transport-layer and DNS hardening is what separates an A from a B, and it is where the UK MSP sector is weakest. Only one provider in the whole sample has the full set in place.

The certificate-issuance check passes when a domain either restricts issuance with CAA records, publishes a CAA iodef reporting endpoint, or is on a Cloudflare-managed zone (where issuance is handled internally). On that basis 35% of providers pass, largely because 58 of the 192 are Cloudflare-hosted; explicit CAA issuance restriction remains rare at 5%.

The takeaway is consistent with the grade analysis: the UK MSP sector has largely won the DMARC argument but has barely started on transport-layer security. MTA-STS at 18% is the clearest growth area, and is the control most likely to move providers from a B into the A range in future editions of this audit.

Each provider was mapped to its UK headquarters region. The table shows each region's average score and the grade it corresponds to, highest to lowest. Regional differences are modest, and several regions have small sample sizes (shown as n) that should temper interpretation.

Only two regions average above a C: Global multinationals headquartered outside the UK (B), benefiting from dedicated security teams and compliance mandates, and Wales (B, though on a sample of just two providers). Every UK region averages a C. The two largest regions, London and the South East (40 providers each), both land mid-C, confirming that posture is determined far more by individual operational maturity than by geography.

Because Q1 used a different scoring model, the fair comparison is on the configuration facts that both editions measure the same way: DMARC adoption, the policy mix, and reporting. On those measures the sector improved modestly over the quarter.

Ten providers advanced their published policy during the quarter: five moved from none to quarantine, two from none to reject, two from no DMARC record to an enforcement policy, and one from quarantine to reject. No provider regressed its policy. The direction of travel is positive but slow, and transport-layer adoption — the thing that would move grades from B to A — has not yet begun in earnest.

The recommendations map onto the grade bands, so any MSP can find its current grade and the next step that raises it. They follow the NCSC's phased anti-spoofing guidance^[2], consistent with CISA BOD 18-01^[3] and the Google and Yahoo bulk-sender requirements in force since February 2024^[4]. MSPs running DMARC across client domains will find a practical playbook in our guide to DMARC for MSPs.

• D or F → C: Publish DMARC and SPF if absent, add a rua= reporting tag, and move off p=none to at least p=quarantine. Fix any invalid SSL certificate.
• C → B: Review aggregate reports to confirm every legitimate sender, then advance from p=quarantine to p=reject, set sp=reject, keep pct=100, and ensure SPF ends in ~all or -all within the 10-lookup limit.
• B → A: Add the transport and DNS layer that almost no one has: publish MTA-STS and TLS-RPT, and enable DNSSEC. This is the single biggest differentiator between a B and an A in this dataset.
• A → A+: Complete the set with certificate-issuance protection (CAA records or an iodef reporting record) and a registrar transfer lock.

The average UK MSP scores a C: it publishes DMARC, has moved partway to enforcement, and blocks at least some spoofed mail. That is a creditable baseline and an improvement on the quarter. But the distribution is sobering. Only 6% reach an A, more than a fifth sit in the at-risk D–F band, and the controls that would lift the middle of the market — full enforcement and transport-layer security — remain the exception rather than the rule.

The encouraging part is how little separates many providers from a better grade. A C provider at quarantine is usually one change away from a B. A B provider with strong DMARC is a handful of DNS records — MTA-STS, TLS-RPT, DNSSEC — away from an A. The gap between the sector's current posture and a markedly stronger one is measured in individual DNS records, not major projects, which is precisely why an MSP that treats this as an ongoing managed discipline can pull ahead of its peers quickly.

This is the second edition of a quarterly series. In Q3 2026 we will re-scan every provider, track movement between grades, and continue to expand the cohort beyond the current 192. As DMARC enforcement approaches saturation, future editions will pay particular attention to the transport-layer frontier (MTA-STS and TLS-RPT) and to DNSSEC, where the sector currently has the most ground to make up.

If your organisation is a UK MSP and you would like to be included, or you spot a result you believe is wrong, open a ticket and we will review it ahead of the next edition.