48% of DFW independent RIA firms have no DMARC record. Hyrizen’s March 2026 infrastructure audit of 152 SEC-registered firms reveals critical email authentication gaps across the advisory industry.
Published: March 2026
Scope: 152 independent RIA firms, Dallas–Fort Worth metropolitan statistical area
Conducted by: Hyrizen
Key Findings
Nearly half of independent registered investment advisory firms in the Dallas–Fort Worth area have no technical protection against email impersonation. Their domains can be spoofed by anyone with an email client and a motive.
Infrastructure Metric
Firms Affected
Percentage
Risk
No DMARC record
73 of 152
48%
Critical
No SPF record
18 of 152
12%
High
Admin panel publicly exposed
90 of 152
59%
High
These are not configuration errors buried deep in a firm’s stack. They are publicly observable gaps in the most basic layer of email security, visible to anyone who knows where to look.
Why This Matters
Business email compromise is the second-costliest form of cybercrime in the United States. The FBI’s 2024 Internet Crime Report recorded $2.77 billion in BEC losses across approximately 21,489 complaints, roughly $130,000 per incident. The Federal Reserve reported that BEC accounted for 73% of all cyber incidents reported by financial institutions in 2024, up from 44% the prior year.
The attack does not require sophisticated tooling. An adversary crafts an email that appears to come from a trusted domain—an advisor, a custodian, or a regulator. The recipient transfers funds or discloses credentials. No systems are breached. The impersonation succeeds because nothing stops it at the infrastructure level.
Registered investment advisors are an established and documented target. In March 2025, FINRA issued a cybersecurity alert after multiple advisory firms received phishing emails impersonating FINRA employees. In mid-2025, a coordinated wave of fraudulent emails impersonating SEC staff targeted RIAs directly, an incident widely reported by financial industry press and compliance consultants. The 15,391 SEC-registered investment advisory firms collectively manage approximately $125 trillion in client assets. That combination of trust, access, and infrastructure fragility is what makes this sector attractive.
The Gap Is Structural
DMARC, SPF, and DKIM are DNS-level records. They are not software to install, subscriptions to purchase, or compliance programs to build. They are text records published in a domain’s DNS configuration. Publishing a DMARC policy takes minutes.
Forty-eight percent of the firms in this audit have not done it.
A firm without a DMARC record has no policy governing what happens when someone sends fraudulent email using their domain. The message delivers. The client has no way to know.
Check Your Domain
Enter your firm’s domain to view your current SPF, DMARC, and MX record status.
Check Your Email Security
Enter your domain to check MX records, SPF, DMARC, and DKIM configuration.
Free. No email required. Results in seconds.
Checking DNS records...
HYRIZEN|Email Security Check
DNS Lookup
0/100
FEmail Security Score
Critical Issues
What These Records Are
SPF (Sender Policy Framework)
SPF is a DNS record that specifies which mail servers are authorized to send email on behalf of your domain. Without an SPF record, any server can send email that appears to come from your address. Receiving servers have no list to check the sender against.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC builds on SPF and DKIM. It is a DNS record that tells receiving mail servers what to do when an incoming message fails authentication: deliver it, quarantine it, or reject it. A firm with no DMARC record has made no decision. The default behavior is delivery.
DKIM (DomainKeys Identified Mail)
DKIM attaches a cryptographic signature to outgoing email. The recipient’s mail server verifies the signature against a public key in the sender’s DNS. A valid DKIM signature confirms the message originated from an authorized source and was not altered in transit. Without it, there is no tamper evidence on outbound mail.
All three records work together. Firms that have published all three have made it technically difficult to impersonate their domain in a way that reaches a client’s inbox. Firms that have published none of them have not.
Methodology
Firms were identified using publicly available SEC IAPD registration data filtered to the Dallas–Fort Worth metropolitan statistical area. Infrastructure data was collected through automated DNS record queries and HTTP surface scanning conducted in March 2026. No firm systems were accessed or tested. All findings reflect publicly observable infrastructure available to any party with internet access.
Individual firm results are not published in this report.
References
Federal Bureau of Investigation, Internet Crime Complaint Center. 2024 Internet Crime Report.ic3.gov
Federal Reserve Financial Services. Classifying ACH and Wire Fraud. December 2025. frbservices.org
Financial Industry Regulatory Authority. Cybersecurity Alert: Ongoing Phishing Campaign Impersonating FINRA Employees. March 2025. finra.org
CityWire RIA. RIAs targeted by phishing campaign impersonating SEC. June 2025. citywire.com
U.S. Securities and Exchange Commission. Investment Adviser Public Disclosure (IAPD) Database. Accessed March 2026. adviserinfo.sec.gov
This audit was conducted by Hyrizen as part of ongoing research into digital infrastructure gaps in regulated industries. Hyrizen does not sell email security products or managed IT services. This is the March 2026 edition. Hyrizen will repeat this audit annually.
If you want to know how your firm’s website performs for AI search visibility and structured data, start with an Audit.
Is your firm's infrastructure working against you?
This research covers email. Our audit covers everything else — schema, structured data, AI readability, and the signals that determine whether AI systems recommend your firm or ignore it.
