Almost every law firm runs on email, and the most sensitive moments in a matter, completion statements, payment instructions, settlement letters, still travel as ordinary messages from a name the client already trusts. That trust is what attackers exploit. The most common vector behind conveyancing and wire fraud is not a hack of the firm. It is an email that looks like it came from the firm.
There is a free, well established defence. Three public records in a domain’s DNS let any mail server verify a message really came from the firm and reject it if it did not: SPF (who may send), DKIM (a cryptographic signature) and DMARC (what to do with mail that fails). We read these records for the 65,266 firms we monitor that have live email, across 12 countries. We touched no systems. Anyone can run the same lookups.
Three in four firms are exposed
DMARC is what turns SPF and DKIM into a defence: the instruction that tells the receiving server to reject or quarantine a forged message. Without it set to enforce, a spoofed email lands straight in the client’s inbox.
Half of all law firms publish no DMARC record at all. Another quarter publish one that does nothing.
The country league table
Enforcement is uneven. Ranked by the share of firms with DMARC set to enforce, no country clears one in three.
The United States, the largest market in the table, trails the UK, the Netherlands and Germany at 19.6%. Japan sits last at 3.6%, fewer than one firm in twenty-five.
SPF: the lock most firms leave loose
DMARC only bites if SPF underneath it is strict. SPF should end in a "hardfail" ("-all") that tells servers to refuse mail from anywhere not on the approved list. A "softfail" ("~all") asks them to accept it anyway and merely flag it. Over a third of firms leave SPF on softfail.
Email is not the only open door
The same public scan that reads a firm’s DNS also sees the software running its website. Outdated software is a second, equally public weakness: every retired version ships with a list of known, documented vulnerabilities anyone can look up.
WordPress powers five of every six law firm sites that use a recognisable platform. Most keep it current, but 1,695 firms, one in ten that reveal a version, run a release more than four years old, carrying years of unpatched core code.
Basic web hardening is thin too. Only 12.2% of firms send a Content-Security-Policy header, the browser-side control that blunts script injection, and 433 firms still serve their homepage over plain, unencrypted HTTP.
Why this is a client problem, not an IT footnote
When a firm cannot stop its domain being spoofed, the victim is rarely the firm. It is the client who receives a message that appears to come from their solicitor, on the day completion funds are due, with new bank details. The money leaves, the account vanishes, and the first call is to the firm whose name was on the email.
The firm that gets spoofed does not lose the money. Its client does. The reputational bill still lands on the firm.
None of this needs a breach. The records are public, the gaps are public, and an attacker can find an unprotected firm in seconds, the same way we found tens of thousands. The fixes are public too, and most take an afternoon. The striking thing is how few firms have spent it.
How we measured this
- We queried the public DNS records (MX, SPF and DMARC) of every law firm in our monitored set that publishes live email records: 65,266 firms across 12 countries. These are the same lookups any mail server performs and any member of the public can run.
- DMARC was counted as "enforcing" only when the record is valid and its policy is "quarantine" or "reject". Records set to "p=none", malformed records, and stray text records were all counted as not protecting the domain.
- We deliberately do not report a DKIM adoption rate. A DKIM record sits at a sender-chosen "selector" (selector._domainkey.domain) that cannot be enumerated from DNS, so its absence at any selector you happen to test proves nothing. SPF and DMARC live at fixed, predictable names and can be read reliably for every domain; DKIM cannot, so every figure here rests on SPF and DMARC alone.
- A firm was counted as "fully protected" only when it both enforces DMARC and publishes SPF with a hardfail ("-all") rule.
- Software figures come from the public response headers and page markup of firms that disclose them (PHP version, CMS version, server software). Only firms that reveal a given detail are counted, so those shares describe the firms that disclose, not every firm.
- This is a sample of the firms we monitor, not a census of every law firm on earth. A small share of domains in any large set are not pure law firms (corporates, estate agents). Those tend to have better security than average, so the true picture for firms alone is, if anything, slightly worse than the figures shown.
- No firm is named anywhere in this article. The data is reported only in aggregate.
The numbers will move as firms tighten up, and we will keep checking. If you want to know where a specific firm or a whole market sits today, the records are there to be read.