NHS

Understanding the Security Status

✓ Green (Secure): A valid DMARC policy is active. The domain is protected because the policy is set to either quarantine or reject, effectively blocking or flagging unauthorized emails as mandated in the Payment Card Industry Data Security Standard (PCI DSS).
× Red (Inadequate): The domain fails to meet the "low bar" set by PCI DSS as the minimum requirement for protection. This occurs if the record is missing, duplicated, or if the policy is set to none (monitoring mode only), which does not stop spoofing attempts.

DMARC records are cached and refreshed periodically. The logic has been updated in line with RFC 9989, published in May 2026, and now uses DNS Tree Walk.

Background

Email migrated from @nhs.net to @nhs.scot in 2021 for £2.5M as per FOI.

The question then needs to be asked: why don’t ALL other NHS domain names have DMARC records defined to effectively prohibit their use and thereby minimise their potential for fraud/misuse?

Is there any concept of IT Governance within the NHS? Because there doesn’t appear to be. Remember, most data breaches start with an email; therefore, DMARC should be seen as the first line of defence.

Old email domain for NHS Scotland

nhs.net →

DMARC Record: _dmarc.nhs.net
v=DMARC1; p=reject;pct=100;rua=mailto:8376428f@mxtoolbox.dmarc-report.com;ruf=mailto:postmaster@nhs.net,mailto:8376428f@forensics.dmarc-report.com
✓ Secure: Single valid policy detected

New email domain for NHS Scotland

nhs.scot →

DMARC Record: _dmarc.nhs.scot
v=DMARC1; p=reject; fo=1; rua=mailto:rua+nhs.scot@dmarc.barracudanetworks.com; ruf=mailto:ruf+nhs.scot@dmarc.barracudanetworks.com; sp=none; pct=100
× Warning: Subdomain policy (sp=none) leaves subdomains vulnerable

 

Corporate Governance

There are two domains I’m aware of relating to cybersecurity and governance for NHS Scotland.

digihealthcare.scot →

DMARC Status: No valid DMARC record found.

This domain is described as Cyber Security and Technical Assurance.

One of their key responsibilities is described as:

  • ‘Providing expertise on information governance, assurance and cyber security.’

informationgovernance.scot.nhs.uk →

DMARC Record: inherited from _dmarc.nhs.uk
v=DMARC1; p=reject; sp=none;adkim=s;aspf=s;fo=1; rua=mailto:A-NE.postmaster@nhs.net,mailto:dmarc-rua@dmarc.service.gov.uk
× Warning: Subdomain policy (sp=none) leaves subdomains vulnerable

This domain appears to be the overarching corporate governance framework for managing all risks related to the confidentiality, integrity, and availability of all types of written, spoken, and computer information.

 

It’s good that the email domain has been standardised across the Scottish NHS. This strong identity isn’t just for branding; it also enhances security by helping people identify which domains to trust. The domain names for the 14 NHS Boards are inconsistent. One being xx.net, one xx.co.uk, some xx.scot.nhs.uk, some xx.com, some xx.scot and even a couple xx.org

Not only have the individual boards failed to maintain consistent naming standards, but they have also failed to implement adequate DMARC protection for those domain names.

NHS Scotland has 14 regional NHS Boards

Ayrshire & Arran

nhsaaa.net →

DMARC Status: No valid DMARC record found.

Borders

nhsborders.scot.nhs.uk →

DMARC Record: inherited from _dmarc.nhs.uk
v=DMARC1; p=reject; sp=none;adkim=s;aspf=s;fo=1; rua=mailto:A-NE.postmaster@nhs.net,mailto:dmarc-rua@dmarc.service.gov.uk
× Warning: Subdomain policy (sp=none) leaves subdomains vulnerable

Dumfries & Galloway

nhsdg.co.uk →

DMARC Status: No valid DMARC record found.

Fife

nhsfife.org →

DMARC Record: _dmarc.nhsfife.org
v=DMARC1; p=quarantine; rua=mailto:dmarc@nhsfife.org; ruf=mailto:dmarc@nhsfife.org; fo=1; pct=50; adkim=s; aspf=s
× Warning: Policy is only applied to 50% of messages (pct=50)

Forth Valley

nhsforthvalley.com →

DMARC Status: No valid DMARC record found.

Grampian

nhsgrampian.org →

DMARC Record: _dmarc.nhsgrampian.org
v=DMARC1; p=reject; rua=mailto:gram.web@nhs.scot; ruf=mailto:gram.web@nhs.scot; fo=1
✓ Secure: Single valid policy detected

Greater Glasgow & Clyde

nhsggc.scot →

DMARC Record: _dmarc.nhsggc.scot
v=DMARC1;p=reject;pct=100;rua=mailto:ggc.webteam@nhs.scot;ruf=mailto:ggc.webteam@nhs.scot
✓ Secure: Single valid policy detected

Highland

nhshighland.scot.nhs.uk →

DMARC Record: inherited from _dmarc.nhs.uk
v=DMARC1; p=reject; sp=none;adkim=s;aspf=s;fo=1; rua=mailto:A-NE.postmaster@nhs.net,mailto:dmarc-rua@dmarc.service.gov.uk
× Warning: Subdomain policy (sp=none) leaves subdomains vulnerable

Lanarkshire

nhslanarkshire.scot.nhs.uk →

DMARC Record: inherited from _dmarc.nhs.uk
v=DMARC1; p=reject; sp=none;adkim=s;aspf=s;fo=1; rua=mailto:A-NE.postmaster@nhs.net,mailto:dmarc-rua@dmarc.service.gov.uk
× Warning: Subdomain policy (sp=none) leaves subdomains vulnerable

Lothian

nhslothian.scot →

DMARC Status: No valid DMARC record found.

Orkney

ohb.scot.nhs.uk →

DMARC Record: _dmarc.ohb.scot.nhs.uk
v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-reports@ohb.scot.nhs.uk; ruf=mailto:dmarc-forensics@ohb.scot.nhs.uk; fo=1; adkim=s; aspf=s; sp=reject
✓ Secure: Single valid policy detected

Shetland

nhsshetland.scot →

DMARC Record: _dmarc.nhsshetland.scot
v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;
✓ Secure: Single valid policy detected

Tayside

nhstayside.scot.nhs.uk →

DMARC Record: inherited from _dmarc.nhs.uk
v=DMARC1; p=reject; sp=none;adkim=s;aspf=s;fo=1; rua=mailto:A-NE.postmaster@nhs.net,mailto:dmarc-rua@dmarc.service.gov.uk
× Warning: Subdomain policy (sp=none) leaves subdomains vulnerable

Western Isles

wihb.scot.nhs.uk →

DMARC Record: _dmarc.wihb.scot.nhs.uk
v=DMARC1; p=reject; pct=100; rua=mailto:wi.dmarcreports@nhs.scot; ruf=mailto:wi.dmarcreports@nhs.scot; fo=1; adkim=s; aspf=s; sp=reject
✓ Secure: Single valid policy detected

 

NHS Scotland also has some Special NHS Boards

Public Health Scotland

publichealthscotland.scot →

DMARC Record: _dmarc.publichealthscotland.scot
v=DMARC1; p=quarantine; rua=mailto:postmaster@publichealthscotland.scot; adkim=s; aspf=s
✓ Secure: Single valid policy detected

phs.scot →

DMARC Record: _dmarc.phs.scot
v=DMARC1;p=reject;rua=mailto:Q9mW81Ps5zu@dmarc-rua.mailcheck.service.ncsc.gov.uk;
✓ Secure: Single valid policy detected

Healthcare Improvement Scotland

healthcareimprovementscotland.scot →

DMARC Record: _dmarc.healthcareimprovementscotland.scot
v=DMARC1; p=none;
× Warning: Main policy (p=none) is for monitoring only and does not prevent spoofing

NHS Education for Scotland

nes.scot.nhs.uk →

DMARC Record: _dmarc.nes.scot.nhs.uk
v=DMARC1; p=quarantine; rua=mailto:dmarc-rua@dmarc.service.gov.uk
✓ Secure: Single valid policy detected

NHS National Waiting Times Centre

nhsgoldenjubilee.co.uk →

DMARC Status: No valid DMARC record found.

nhscfsd.co.uk →

DMARC Status: No valid DMARC record found.

NHS 24

nhs24.scot →

DMARC Record: _dmarc.nhs24.scot
v=DMARC1; p=quarantine; pct=100; fo=1; ri=3600; rua=mailto:a1adc113@inbox.ondmarc.com,mailto:JSJNXDoBqYu@dmarc-rua.mailcheck.service.ncsc.gov.uk; ruf=mailto:a1adc113@inbox.ondmarc.com
✓ Secure: Single valid policy detected

Scottish Ambulance Service

scottishambulance.com →

DMARC Record: _dmarc.scottishambulance.com
v=DMARC1; p=reject; aspf=s;
✓ Secure: Single valid policy detected

The State Hospitals Board for Scotland

tsh.scot.nhs.uk →

DMARC Record: inherited from _dmarc.nhs.uk
v=DMARC1; p=reject; sp=none;adkim=s;aspf=s;fo=1; rua=mailto:A-NE.postmaster@nhs.net,mailto:dmarc-rua@dmarc.service.gov.uk
× Warning: Subdomain policy (sp=none) leaves subdomains vulnerable

NHS National Services Scotland

nss.nhs.scot →

DMARC Record: inherited from _dmarc.nhs.scot
v=DMARC1; p=reject; fo=1; rua=mailto:rua+nhs.scot@dmarc.barracudanetworks.com; ruf=mailto:ruf+nhs.scot@dmarc.barracudanetworks.com; sp=none; pct=100
× Warning: Subdomain policy (sp=none) leaves subdomains vulnerable

 

Other domains significant to NHS Scotland

High profile NHS website

nhsinform.scot →

DMARC Record: _dmarc.nhsinform.scot
v=DMARC1; p=reject; pct=100; fo=1; ri=3600; rua=mailto:a1adc113@inbox.ondmarc.com,mailto:JSJNXDoBqYu@dmarc-rua.mailcheck.service.ncsc.gov.uk; ruf=mailto:a1adc113@inbox.ondmarc.com
✓ Secure: Single valid policy detected

Golden Jubilee National Hospital

gjnh.scot.nhs.uk →

DMARC Record: inherited from _dmarc.nhs.uk
v=DMARC1; p=reject; sp=none;adkim=s;aspf=s;fo=1; rua=mailto:A-NE.postmaster@nhs.net,mailto:dmarc-rua@dmarc.service.gov.uk
× Warning: Subdomain policy (sp=none) leaves subdomains vulnerable

NHS Research Scotland

nhsresearchscotland.org.uk →

DMARC Record: _dmarc.nhsresearchscotland.org.uk
v=DMARC1; p=reject
✓ Secure: Single valid policy detected

Health Scotland – now superseded by Public Health Scotland website

healthscotland.scot →

DMARC Status: No valid DMARC record found.

Scottish National Blood Transfusion Service (SNBTS)

scotblood.co.uk →

DMARC Status: No valid DMARC record found.

 

Some NHS Lanarkshire examples

Used on official headed paper printed letters from NHS Lanarkshire

nhslanarkshire.org.uk →

DMARC Status: No valid DMARC record found.

Re-directs to the primary website address

nhslanarkshire.scot →

DMARC Status: No valid DMARC record found.

Used for email addresses such as info@lanarkshire.scot.nhs.uk in printed leaflets

lanarkshire.scot.nhs.uk →

DMARC Record: inherited from _dmarc.nhs.uk
v=DMARC1; p=reject; sp=none;adkim=s;aspf=s;fo=1; rua=mailto:A-NE.postmaster@nhs.net,mailto:dmarc-rua@dmarc.service.gov.uk
× Warning: Subdomain policy (sp=none) leaves subdomains vulnerable

Appears to be the primary website address

nhslanarkshire.scot.nhs.uk →

DMARC Record: inherited from _dmarc.nhs.uk
v=DMARC1; p=reject; sp=none;adkim=s;aspf=s;fo=1; rua=mailto:A-NE.postmaster@nhs.net,mailto:dmarc-rua@dmarc.service.gov.uk
× Warning: Subdomain policy (sp=none) leaves subdomains vulnerable

 

Other Government domains for comparison

Domain used for MP’s email addresses

parliament.uk →

DMARC Record: _dmarc.parliament.uk
v=DMARC1; p=quarantine; rua=mailto:e734592d5cde933@rep.dmarcanalyzer.com; ruf=mailto:e734592d5cde933@for.dmarcanalyzer.com; pct=100; sp=quarantine; fo=1;
✓ Secure: Single valid policy detected

Domain used for MSP’s email addresses

parliament.scot →

DMARC Record: _dmarc.parliament.scot
v=DMARC1; p=reject; rua=mailto:aArJj2d6PP7@dmarc-rua.mailcheck.service.ncsc.gov.uk,mailto:dmarc@parliament.scot; ruf=mailto:ITSrvNetSupp@parliament.scot; fo=0:1:d:s; pct=100
✓ Secure: Single valid policy detected

Domain used for Government email addresses such as the Cabinet Secretary for Health and Social Care

gov.scot →

DMARC Record: _dmarc.gov.scot
v=DMARC1; p=reject; pct=100; sp=none; rua=mailto:0a819833@inbox.ondmarc.com,mailto:dmarc-rua@dmarc.service.gov.uk; ruf=mailto:0a819833@inbox.ondmarc.com,mailto:dmarc@gov.scot; adkim=r; aspf=r; fo=1; rf=afrf; ri=3600
× Warning: Subdomain policy (sp=none) leaves subdomains vulnerable

National Cyber Security Centre – yes, they do follow their own advice!

ncsc.gov.uk →

DMARC Record: _dmarc.ncsc.gov.uk
v=DMARC1;p=reject;adkim=s;aspf=s;rua=mailto:dmarc-rua@dmarc.service.gov.uk;
✓ Secure: Single valid policy detected

 

Hospice Care

Palliative Care Scotland

Accord Hospice

accord.org.uk →

DMARC Record: _dmarc.accord.org.uk
v=DMARC1; p=quarantine; rua=mailto:authreports@mcts.co.uk; ruf=mailto:authreports@mcts.co.uk; rf=afrf; fo=1; pct=100; adkim=r; aspf=r
✓ Secure: Single valid policy detected

Ardgowan Hospice

ardhosp.co.uk →

DMARC Status: No valid DMARC record found.

ardgowanhospice.org →

DMARC Record: _dmarc.ardgowanhospice.org
v=DMARC1; p=none;
× Warning: Main policy (p=none) is for monitoring only and does not prevent spoofing

ardgowanhospice.org.uk →

DMARC Status: No valid DMARC record found.

Ayrshire Hospice

ayrshirehospice.org →

DMARC Record: _dmarc.ayrshirehospice.org
v=DMARC1; p=none;
× Warning: Main policy (p=none) is for monitoring only and does not prevent spoofing

Bethesda Hospice

bethesdahospice.co.uk →

DMARC Status: No valid DMARC record found.

Highland Hospice

highlandhospice.org.uk →

DMARC Record: _dmarc.highlandhospice.org.uk
v=DMARC1; p=quarantine; rua=mailto:dmarc@highlandhospice.org.uk; ruf=mailto:dmarc@highlandhospice.org.uk; fo=1;
✓ Secure: Single valid policy detected

highlandhospice.org →

DMARC Status: No valid DMARC record found.

Kilbryde Hospice

kilbrydehospice.org.uk →

DMARC Record: _dmarc.kilbrydehospice.org.uk
v=DMARC1; p=quarantine; pct=100; fo=1; rua=mailto:security@kilbrydehospice.org.uk
✓ Secure: Single valid policy detected

Marie Curie Hospice

mariecurie.org.uk →

DMARC Record: _dmarc.mariecurie.org.uk
v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_agg@vali.email,mailto:itsecurityreports@mariecurie.org.uk; ruf=mailto:itsecurityreports@mariecurie.org.uk; fo=1
✓ Secure: Single valid policy detected

St Andrew’s Hospice

st-andrews-hospice.com →

DMARC Record: _dmarc.st-andrews-hospice.com
v=DMARC1; p=none; rua=mailto:998757dbd4a54adfa7995a83457d8b51@dmarc-reports.cloudflare.net
× Warning: Main policy (p=none) is for monitoring only and does not prevent spoofing

St Columba’s Hospice

stcolumbashospice.org.uk →

DMARC Record: _dmarc.stcolumbashospice.org.uk
v=DMARC1; p=none;
× Warning: Main policy (p=none) is for monitoring only and does not prevent spoofing

St Margaret of Scotland Hospice

smh.org.uk →

DMARC Record: _dmarc.smh.org.uk
v=DMARC1; p=none; rua=mailto:dmarc-rua@dmarc.service.gov.uk;
× Warning: Main policy (p=none) is for monitoring only and does not prevent spoofing

St Vincent’s Hospice

svh.co.uk →

DMARC Status: No valid DMARC record found.

Strathcarron Hospice

strathcarronhospice.net →

DMARC Status: No valid DMARC record found.

 

Little wonder the NHS has been subjected to numerous data breaches given the obvious failings in IT governance.