Signed, Your Council · by Crowswatch

How easily can someone email your residents pretending to be the council?

We checked the public email security of UK councils across all four nations: how easily a scammer could spoof a council domain to send residents fake council tax demands, fines, or benefit messages. It is a defined technical state, not a judgement, and every check is a public DNS lookup.

6 of 197 councils have not enabled the standard protection that stops criminals impersonating them to residents.

All checks are public DNS lookups: standard, non-intrusive security research. Last checked 13 July 2026.

Nation by nation

Pick a nation, see its councils

Each tile is a nation: its average grade, average score, and how many councils enforce DMARC. Select one to see its councils ranked. Tap any council for the checks behind its grade. A council marked spoofable has not enabled DMARC enforcement, so its domain can still be impersonated.

England, ranked

132 councils

Methodology

How we score, in full

Every score is out of 100 and reproducible from public DNS. The control that actually stops spoofing, DMARC enforcement, carries the most weight. This is the same scoring used across Crowswatch research.

DMARC policyreject 55, quarantine 44, p=none 8, no record 0
SPFhard fail -all 22, soft ~all 15, neutral ?all 4, +all or missing 0
DKIMsignature detected 13
MTA-STS (bonus)published 4
TLS-RPT (bonus)published 3
BIMI (bonus)published 3

Grades: A from 90, B from 75, C from 60, D from 45, E from 25, F from 0. Only a reject policy can reach an A.

A DMARC record set to p=none is published but not protecting, so it scores poorly despite existing. SPF strength is read from the record, DKIM from common selectors, and the maturity records are bonus tie-breakers only.

What “spoofable” means: a council is labelled spoofable when its mail domain has no DMARC record, or a DMARC record set to p=none. Both are confirmed states from a successful DNS lookup. It is a defined technical state, nothing more, and never a claim that a council is unsafe beyond it.

Which councils:the principal local authorities, sourced from the official register of UK councils (ONS / GSS codes). All four nations are covered: England’s single-tier authorities (the unitary, metropolitan and London boroughs and the City of London), all 32 Scottish councils, all 22 Welsh principal areas, and all 11 Northern Ireland districts. England’s two-tier county and district councils are the remaining set, added as they are resolved.

Which domain we check: each council mail domain, the one that carries its email (it has MX records and the DMARC policy), which is what a scammer would impersonate. We resolve it per council by matching the official .gov.uk domain register and confirming MX, not by assuming a council uses its name plus .gov.uk, so a council is never judged on a domain it does not send from.

When DNS does not resolve: a lookup that times out or fails is not treated as an absent record. We re-query, and any council we still cannot determine is held back as unable to verify rather than ranked bottom or labelled spoofable.

Every check is a public DNS lookup. Nothing intrusive, nothing that is not already publicly queryable.

Run this on your own council, or any organisation

Crowswatch runs these exact checks on any domain, free, and shows you how to close the gap. Closing it is one DNS change for most organisations.

Signed, Your Council checks the principal councils of the UK using public DNS records only, 197 councils across all four nations (council list sourced 2026-06). It is published by Crowswatch as standard, non-intrusive security research. Figures describe the configuration of each council public mail domain at the last check and can change as councils update their DNS.