Email Authentication Gap in Canadian Healthcare Organizations

Data derived from publicly observable DNS records. No internal systems were accessed.

12,413
Businesses Sourced
3,150
Domains Resolved
2,590
Domains Scanned
10+
Canadian Cities
Yellow Pages: 7,731 leads — 2,590 scanned | ODHF / StatCan: 6,824 healthcare facilities — domain resolution in progress | Discovery: 94 scanned

Email Authentication Controls

Status of SPF, DKIM, and DMARC across scanned domains

SPF (Sender Policy Framework)78% present
44%
22%
22%
DMARC (Domain-based Message Authentication)43% present
22%
26%
57%
DKIM (DomainKeys Identified Mail)43% present
43%
57%
DMARC Enforcement (quarantine/reject)17% enforced
7%
10%
26%
57%
Enforced / Pass Partial / Permissive Monitor only Missing

Industry Signal

Failure rate by sector (DMARC not enforced)

Healthcare
2,590
62%
Long-Term Care
106
57%
Dentists
202
86%
Chiropractors
163
85%
Veterinarians
172
84%
Psychologists
109
87%
Insurance Brokers
184
82%
Lawyers
138
79%

Overall Score

43
out of 100
Domains Scanned2,590
Pass (all 3 controls)9%
Partial35%
Fail56%

Key Findings

  • 83% of domains have no DMARC enforcement
  • 57% have no DMARC record
  • 22% have no SPF record
  • 56% score below 50 (vulnerable)
  • Healthcare sector has highest exposure
  • PIPEDA/PHIPA require email safeguards

Regulatory Context

Canadian privacy legislation (PIPEDA, PHIPA) requires organizations handling personal information to implement reasonable safeguards against unauthorized access.

Email spoofing — enabled by missing DMARC enforcement — is the primary vector for phishing attacks targeting healthcare organizations.

Organizations without DMARC enforcement cannot demonstrate basic email security compliance.

Protect Your Domain

Continuous DMARC, SPF, and DKIM monitoring with drift alerts.

$20 /month per domain

Free scan included. No credit card required.