EFROS Original Research · Q2 2026 — Inaugural Edition
4 in 5 US trucking companies can't stop email impersonation.
We measured the public email security configuration of every active US motor carrier with a company domain — 307,688 domains representing 393,312 carriers. The headline result: 80.1% cannot stop a stranger from sending email in their name. In an industry where one email can move a load or redirect a payment, that is a business problem, not an IT detail.
Headline findings
80.1%
No enforced DMARC
Share of active carrier domains with no DMARC record or a monitor-only p=none policy — both provide zero impersonation protection.
92,822
M365 carriers with DMARC off
Carriers on Microsoft 365 — which includes all the controls needed — that have never turned on DMARC enforcement. The protection is already paid for and switched off.
96.7%
Have no MTA-STS
Share with no policy enforcing encrypted, authenticated mail transport. Without it, inbound email is vulnerable to downgrade and interception attacks.
Background
Why we ran this study
Freight fraud is now an operational line item. Double brokering, fraudulent load confirmations, factoring fraud, and redirected payment instructions all share one root mechanism: a message that appears to come from a trusted party but does not.
Email authentication is the control that closes that gap. SPF, DKIM, and DMARC together let a receiving mail server confirm that a message claiming to be from dispatch@yourcarrier.com actually originated from your systems. When those records are missing or misconfigured, anyone can send mail in your name, and receiving servers have no basis to reject it.
We wanted to measure how widely that control is deployed across real carriers — not survey respondents. So we measured every one we could from public DNS. We expected the numbers to be bad. They came back worse than that.
Finding 1
Four in five carrier domains have no DMARC protection
| DMARC status | Share |
|---|---|
| No DMARC record at all | ~59.0% |
| Monitor-only (p=none, no protection) | ~21.1% |
| Total unprotected | 80.1% |
| Enforced (p=reject) | 7.5% |
| SPF soft-fail (~all) only | 39.8% |
| No SPF at all | 10.4% |
ICP signal: Among 62,813 active carriers operating 10 or more trucks, 68.2% have no enforced DMARC. Fleet size does not fix the problem. The larger, more attractive fraud targets are configured no better than owner-operators.
SPF, the older and simpler record, is more common but frequently toothless. 39.8% of domains publish only a soft-fail policy, which asks receiving servers to accept suspicious mail anyway. Another 10.4% publish no SPF at all. Thousands of carriers run a domain with neither SPF nor DMARC — zero email authentication of any kind.
Finding 2
The protection is already paid for
| Mail provider | Share of carrier domains |
|---|---|
| Microsoft 365 | 38.1% |
| Google Workspace | 27.0% |
| Self-hosted or unidentified | 33.0% |
Microsoft 365 and Google Workspace together host the majority of carrier email. Both platforms include the tools required to authenticate mail and enforce DMARC — and both ship with those tools disabled by default.
We found 92,822 carriers on Microsoft 365 that have no enforced DMARC. These carriers are paying Microsoft every month for a security capability they have never turned on. Closing that gap is a configuration task — there is nothing left to buy.
The 33.0% on self-hosted or unidentified infrastructure carry the highest concentration of severe misconfiguration and the least administrative oversight.
Finding 3
Domain hardening is almost nonexistent
| Control | Carrier domains with it |
|---|---|
| DNSSEC | 6.1% |
| MTA-STS | 3.3% |
MTA-STS enforces encryption on inbound mail and prevents downgrade attacks. DNSSEC prevents forged DNS answers. Both are mature, free, and widely recommended by CISA and NIST. Fewer than 1 in 15 carriers has either.
Only 3.3% of carrier domains have MTA-STS — meaning 96.7% have no policy enforcing encrypted transport. DNSSEC adoption sits at only 6.1%.
Finding 4
Tens of thousands of carriers run a dead domain
21,132 active carriers list an email domain that returns no DNS records. The domain has lapsed or was never maintained.
This is a double failure. Operationally, mail to and from that address is unreliable or impossible. From a security standpoint, a lapsed domain can be re-registered by anyone, who then inherits a business identity that shippers, brokers, and factoring companies still recognize. A reactivated former carrier domain is a ready-made impersonation tool.
Finding 5
Who is most exposed
| Risk band | Carriers |
|---|---|
| Criticalscore 70+ | 32,888 |
| Highscore 50–69 | 112,077 |
| Mediumscore 30–49 | 159,765 |
| Lowscore 15–29 | 65,166 |
| Minimalscore <15 | 3,429 |
Risk score combines authentication gaps, hardening gaps, and hosting signals on a 0–100 scale. A score above 50 indicates serious, exploitable exposure. Critical + High bands together represent the most urgent remediation priority.
Worst states by carrier count
All 50 states →Business impact
What an unprotected domain actually costs
None of this is hypothetical. An unauthenticated carrier domain enables a specific, well-documented set of freight crimes:
- Double brokeringA fraudster posing as the carrier accepts a load, then re-brokers it to an unwitting second carrier and disappears with the payment.
- Payment redirectionA spoofed message from accounting@yourcarrier.com instructs a broker or factoring company to change remittance details. The next settlement lands in the fraudster's account.
- Fraudulent load confirmationsForged rate confirmations and carrier packets move freight under a stolen identity.
Each of these depends on a receiving mail server accepting a message that should have been rejected. DMARC enforcement is the control that rejects it. Without it, the carrier's own brand becomes the attacker's most effective tool.
Remediation
What carriers should do
The fix is well understood and does not require replacing any systems. Most carriers can complete the core steps in a few hours of focused configuration.
- 1. Publish a strict SPF record
List every authorized sending system and end the record in -all (hard fail). Soft-fail (~all) tells receiving servers to accept suspicious mail anyway.
- 2. Enable DKIM signing
Microsoft 365 and Google Workspace both support DKIM signing directly from the admin console. It takes about ten minutes per domain.
- 3. Deploy DMARC — start at p=none, then escalate
Start monitoring-only with reporting turned on to see who sends mail in your name. Then move to p=quarantine, then p=reject.
- 4. Add MTA-STS and TLS-RPT
Enforce encrypted, monitored mail transport. Both records are free to publish and prevent downgrade and interception attacks.
- 5. Lock your domain registration
Confirm the domain is registered, current, and set to auto-renew. Enable registry lock where available. A lapsed domain can be re-registered by anyone.
Methodology + disclaimer
Source: FMCSA Company Census File downloaded 2026-05-20. We extracted company-controlled email domains, excluded free consumer providers (Gmail, Yahoo, Outlook) and ISP domains (Comcast, Charter), and queried public DNS only. No carrier system was accessed, probed, or logged into. DMARC is treated as enforced only when the policy is p=quarantine or p=reject. DKIM is not measured because valid DKIM selectors cannot be enumerated from outside a domain. These limits make our figures conservative — the true rate of misconfiguration is likely higher, not lower.
Full methodology →See where your own domain stands
The research is free and self-serve. Run the same public checks on your own domain in about a minute — SPF, DKIM, DMARC, MTA-STS, DNSSEC, and more — and get a scored report by email. No agents, no credentials.