Seventy-four percent of breached healthcare organizations either lacked a DMARC policy entirely or had it set to monitor-only mode, the report found.
How Paubox measured email-related breaches reported to HHS
A report by Paubox analyzed 170 email-related healthcare breach incidents disclosed to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights between January and December 2025. Researchers evaluated each breached organization’s publicly observable email settings, focusing on three specific protocols the report calls “the foundation of email authentication.”
The report defined those protocols as follows: DMARC, which tells receiving servers how to handle messages that fail verification; SPF, which confirms whether an email was sent from an authorized server; and MTA-STS, which requires encrypted connections between mail servers to prevent interception. Paubox judged each breached organization on these observable settings and used that assessment to sort organizations into risk categories.
DMARC and SPF configurations: permissive defaults persisted
Paubox found that 74% of the breached organizations either had no DMARC policy or had DMARC set to monitor-only mode, which logs failed messages but does not block them. Over half of the organizations used permissive or missing SPF records, the report said, “meaning messages from unauthorized servers could still be delivered.”
On the aggregate metric Paubox used to measure email authentication and encryption posture, 41% of the breached organizations fell into the highest risk category in 2025, up from 31% in 2024. At the other end of the scale, none of the breached organizations in 2025 fell into the lowest risk category, compared with 1% that had reached that level the year before.
MTA-STS: a missing line of defense across every breached organization
Not a single breached organization in the Paubox sample enforced MTA-STS, the protocol the report describes as requiring encrypted connections between mail servers to prevent interception. That absence was stark in Paubox’s findings: while DMARC and SPF settings were often permissive or absent, MTA-STS enforcement was uniformly missing from the public configurations of every breached entity the researchers examined.
Microsoft 365’s growing footprint among breached organizations
The report notes a rising concentration of breached organizations using Microsoft 365 as their primary email platform: 53% in 2025, up from 43% in 2024. Among those organizations using Microsoft 365, Paubox reported that one-third had DMARC in monitor-only mode and nearly half used soft-fail SPF policies. In other words, a majority of breached organizations were on the same platform, and a substantial share of those had permissive authentication settings.
What this means for technologists, policymakers, and healthcare procurement leaders
- Technologists and security teams will see clear targets in the Paubox findings: the high prevalence of monitor-only DMARC, permissive or missing SPF, and the universal lack of MTA-STS enforcement are specific, observable gaps they can measure and remediate within their environments.
- Policymakers and regulators who track breach disclosures via the HHS Office for Civil Rights will note two concurrent trends in the Paubox data: a modest drop in the count of breached organizations (from 180 in 2024 to 170 in 2025) alongside a deterioration in average configuration risk (41% in the highest risk band, up from 31%). That combination suggests fewer incidents, but deeper misconfigurations among those still affected.
- Healthcare procurement leaders and IT decision-makers will find the Microsoft 365 figures relevant for vendor audit and configuration review: with 53% of breached organizations using that platform and many of those showing permissive DMARC and SPF settings, platform-native configuration and enforcement controls are a concrete place to look for improvement.
The Paubox analysis offers a precise, if sobering, snapshot: fewer publicly reported email-related breaches in healthcare in 2025, but a larger share of the affected organizations showing weak, permissive, or missing email authentication and encryption settings. The record ends on a pointed contrast — a small decline in breach counts alongside a measurable rise in configuration risk — leaving a single practical implication visible in the data: the breaches that remain are more likely to be explainable by predictable, observable gaps in email controls.
