Original research
UK Housing Email Security Report 2026
of the UK largest housing associations have no enforced DMARC, leaving their domain open to spoofing
Seventy-nine of the 200 providers we scanned could be impersonated in phishing emails sent to their own tenants.
Housing associations hold some of the most sensitive relationships in the country: they email tenants about rent, repairs, benefits and safety. If a domain can be spoofed, a criminal can send a convincing email that appears to come from the landlord, and tenants have every reason to trust it.
We ran a free external security scan of 200 housing associations in England, every private registered provider owning 1,000 or more homes that we could verify. Between them they own around 2.76 million homes. The picture is a sector pulling in two directions: a well-defended top tier, and a large group that has either not started or, more often, started and stopped halfway.
DMARC posture across the sector
DMARC is what actually stops a domain being spoofed. Only an enforced policy (quarantine or reject) protects tenants; a policy of none monitors but protects nothing.
Overall security score distribution
Sector mean 79/100, median 89/100.
A sector pulling in two directions
Almost half of the providers we scanned (49%) score 90 or above out of 100, and these tend to be the larger, better-resourced associations. Their email is properly defended: an enforced DMARC policy, a valid SPF record, and DKIM signing in place. For organisations often described as behind on technology, that top tier is genuinely strong.
But the sector as a whole tells a more uncomfortable story than the headline names suggest. Across all 200 providers, two in five have no enforced DMARC, and the average score falls to 79. The pattern is fairly consistent: the smaller the provider, the more likely it is to be exposed, and smaller housing associations still hold hundreds of thousands of tenant relationships between them.
The unfinished journey: 31% started DMARC and stopped
The single most striking finding is not the associations with no DMARC at all (9%), it is the 31% that published a DMARC record and then left it set to none. A policy of none monitors who is sending mail as your domain but tells receiving servers to deliver spoofed messages anyway. It offers the reassurance of having done something, with none of the protection.
This is the easiest gap in the whole report to close. These providers have already done the hard part, standing up DMARC and, usually, getting their legitimate senders passing. Moving from none to quarantine or reject is often a single DNS change once the reports confirm it is safe. Nearly a third of the sector is one careful step away from being protected and has not taken it.
SPF is universal, but one in ten is silently broken
Every provider we scanned publishes an SPF record. But 10% have exceeded the limit of ten DNS lookups that the SPF standard allows. Once a record goes over that limit, SPF stops working, often without anyone noticing, because each new email tool that gets added quietly pushes the count higher. It is one of the most common and most invisible email security faults we find.
DKIM is widespread, modern transport security is not
Four in five providers (80%) publish a valid DKIM signature, the cryptographic signing that lets recipients verify a message has not been tampered with. The newer transport-security standards are barely adopted: only 13% publish MTA-STS and 17% publish TLS-RPT, both of which protect mail in transit. These are not urgent for most providers, but they are the difference between a good posture and a complete one.
What good looks like, and where to start
The strongest providers in our sample share a simple pattern: an enforced DMARC policy of reject, a valid SPF record kept under the lookup limit, and DKIM signing switched on. None of it requires new software, and most of it is free to configure.
If you run email for a housing association, the fastest way to find out where you stand is to run the same external check we used for this report. It takes about 15 seconds and needs no access to your systems. We have not named any provider that scored poorly; each can see its own result privately through our free scanner. Where the results show gaps, our cloud security team can help you reach enforcement safely, without disrupting the legitimate mail your tenants rely on.
Sector leaders
These providers had fully configured, enforced email authentication at the time of scanning. Credit to their teams.
Methodology
We identified the 208 housing associations (private registered providers, not local-authority providers) in England owning 1,000 or more homes, using the Regulator of Social Housing Statistical Data Return. We confirmed a live email domain for 200 of them and ran a passive external security scan of each on 12 June 2026. Together these providers own around 2.76 million homes.
Every check reads only publicly available DNS records and public-facing services. No system was accessed, no credentials were used, and no intrusive testing was performed. This is the same external view any member of the public, or any attacker, already has.
Email authentication posture (SPF, DKIM, DMARC) was assessed against current NCSC guidance, and an overall score was calculated from the same engine that powers our free domain security check. Recently merged providers are counted as their current combined entity. Results are a snapshot as of the scan date; DNS configurations change over time, and a provider that was exposed on this date may since have fixed it.
Scanned 12 June 2026. Sample size: 200 providers.