Which healthcare brands can be spoofed in email?
Healthcare brands are a high-precision impersonation target because the messages can be tailored to specific patient anxieties ('appointment confirmation', 'lab results ready'). Insurance carriers tend to be locked down (regulatory pressure); pharmacies and clinical networks are mixed.
Spoofable
2 (20%)
No DMARC, or DMARC at p=none. Anyone can send from these domains.
Partial protection
4 (40%)
DMARC at p=quarantine, or p=reject with pct<100. Spoofed mail may slip through.
Not practically spoofable
4 (40%)
DMARC p=reject pct=100 + SPF -all or DKIM. Spoofed mail rejected at SMTP.
| Brand | Domain | Verdict | |
|---|---|---|---|
| Kaiser Permanente | kp.org | Spoofable | See the math → |
| Mayo Clinic | mayoclinic.org | Spoofable | See the math → |
| CVS Health | cvs.com | Maybe | See the math → |
| Cigna | cigna.com | Maybe | See the math → |
| HCA Healthcare | hcahealthcare.com | Maybe | See the math → |
| Walgreens | walgreens.com | Maybe | See the math → |
| Anthem (Elevance Health) | elevancehealth.com | Protected | See the math → |
| Cleveland Clinic | clevelandclinic.org | Protected | See the math → |
| Humana | humana.com | Protected | See the math → |
| UnitedHealthcare | uhc.com | Protected | See the math → |
Other categories
What does "spoofable" actually mean?
A domain is spoofable when a third party can send mail FROM addresses at that domain (e.g. [email protected]) and have it land in inboxes. The mechanism that prevents this is DMARC enforcement combined with SPF and DKIM. Without all three, receivers have no policy to apply against unauthorised senders.
Want the same check on your own domain? Run the free Spoofability check.
This category last scored: .