U.S. Registered Investment Advisers: Email Infrastructure Audit
Half of U.S. RIA firms with a web presence have no DMARC record. Only 10% enforce a reject policy. National audit of 13,136 firms across SEC and state registrations.
Published: March 2026
Scope: 13,136 firms with auditable domains, drawn from 37,952 SEC-registered and state-registered investment advisers
Methodology: Multi-resolver DNS verification (Google, Cloudflare) with raw response logging
Conducted by: Hyrizen
Key Findings
Half of U.S. registered investment advisory firms with an auditable web presence have published no DMARC record. Their domains can be impersonated by anyone who can compose an email.
Among firms that have published a DMARC record, the majority have not moved beyond monitoring. Only 10% of auditable firms enforce a reject policy. The remaining 90% either have no DMARC at all or have set a policy that does not prevent delivery of fraudulent messages.
Infrastructure Metric
Firms Affected
Percentage
Risk
No DMARC record
6,568 of 13,136
50%
Critical
DMARC policy set to none (monitor only)
3,669 of 13,136
28%
High
No SPF record
2,205 of 13,136
17%
High
DMARC enforced at reject
1,365 of 13,136
10%
Passing
State-registered advisers performed measurably worse than SEC-registered firms. Among state-registered firms with auditable domains, 57% had no DMARC record, compared to 36% of SEC-registered firms. This gap likely reflects differences in firm size, IT resources, and regulatory scrutiny.
Why This Matters
Business email compromise is the second-costliest form of cybercrime in the United States. The FBI's 2024 Internet Crime Report recorded $2.77 billion in BEC losses across approximately 21,489 complaints, roughly $130,000 per incident. The Federal Reserve reported that BEC accounted for 73% of all cyber incidents reported by financial institutions in 2024, up from 44% the prior year.
The attack is straightforward. An adversary sends email that appears to come from a trusted domain. An advisor, a custodian, a regulator. The recipient acts on the message. Funds transfer. Credentials are disclosed. No systems are breached. The impersonation succeeds because nothing at the infrastructure level prevents it.
Investment advisers are a documented target. In March 2025, FINRA issued a cybersecurity alert after multiple advisory firms received phishing emails impersonating FINRA employees. In mid-2025, a coordinated campaign of fraudulent emails impersonating SEC staff targeted RIAs directly, an incident reported by financial industry press and compliance consultants. SEC-registered firms alone manage approximately $125 trillion in client assets. That combination of trust, access, and infrastructure fragility is what makes the sector attractive to adversaries.
The Gap Between Having DMARC and Enforcing It
DMARC, SPF, and DKIM are DNS-level records. They are not software to install or subscriptions to purchase. They are text entries in a domain's DNS configuration. Publishing a DMARC policy takes minutes.
Half the firms in this audit have not done it.
But presence alone is insufficient. Among the 6,568 firms that do have a DMARC record, 56% have set the policy to none. A DMARC policy of none tells receiving mail servers to deliver spoofed messages normally. It is a monitoring setting. It collects reports. It blocks nothing.
Another 23% use quarantine, which routes suspicious mail to spam rather than rejecting it outright. Only 21% of firms with DMARC have set their policy to reject.
Across the full auditable population, 78% of firms either have no DMARC record at all or have one that does not prevent delivery of fraudulent email. Ten percent have reached full enforcement.
Check a Domain
Enter a domain to view its current SPF, DMARC, and MX record status.
Check Your Email Security
Enter your domain to check MX records, SPF, DMARC, and DKIM configuration.
Free. No email required. Results in seconds.
Checking DNS records...
HYRIZEN|Email Security Check
DNS Lookup
0/100
FEmail Security Score
Critical Issues
What These Records Are
SPF (Sender Policy Framework)
SPF is a DNS record that specifies which mail servers are authorized to send email on behalf of a domain. Without an SPF record, any server can send email that appears to originate from that address. Receiving servers have no list to check the sender against.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC builds on SPF and DKIM. It is a DNS record that tells receiving mail servers what to do when an incoming message fails authentication: deliver it, quarantine it, or reject it. A firm with no DMARC record has made no decision. The default behavior is delivery.
DKIM (DomainKeys Identified Mail)
DKIM attaches a cryptographic signature to outgoing email. The recipient's mail server verifies the signature against a public key in the sender's DNS. A valid DKIM signature confirms the message originated from an authorized source and was not altered in transit. Without it, there is no tamper evidence on outbound mail.
All three records work together. Firms that have published all three and set DMARC to reject have made it technically difficult to impersonate their domain in a way that reaches a client's inbox. Firms that have published none of them have not.
Methodology
Firms were identified from publicly available SEC IAPD registration data, including both the SEC-registered firm roster and the state-registered firm feed. The two datasets were merged and deduplicated by CRD number, producing 37,952 unique firms. Of these, 13,136 had a website URL in their ADV filing from which an auditable domain could be extracted. The remaining 24,816 firms had no website listed, or listed only social media or free email provider URLs.
Each domain was queried across two independent DNS resolvers (Google Public DNS and Cloudflare), with three attempts per resolver per record type, for a total of six probes per record. A record was flagged as absent only when all six probes agreed. Every individual DNS query and response was logged to a structured JSONL file for independent verification.
DKIM was assessed by probing 14 common selectors used by major email providers (Google Workspace, Microsoft 365, Proofpoint, Mimecast, and others). DKIM selectors are arbitrary strings chosen by domain owners and cannot be enumerated via DNS. Firms using custom selectors may have DKIM configured but would not be detected by this method. This limitation is noted in the dataset.
No firm systems were accessed or tested. All findings reflect publicly observable DNS records available to any party with internet access. Individual firm results are not published in this report.
References
Federal Bureau of Investigation, Internet Crime Complaint Center. 2024 Internet Crime Report.ic3.gov
Federal Reserve Financial Services. Classifying ACH and Wire Fraud. December 2025. frbservices.org
Financial Industry Regulatory Authority. Cybersecurity Alert: Ongoing Phishing Campaign Impersonating FINRA Employees. March 2025. finra.org
CityWire RIA. RIAs targeted by phishing campaign impersonating SEC. June 2025. citywire.com
U.S. Securities and Exchange Commission. Investment Adviser Public Disclosure (IAPD) Database. Accessed March 2026. adviserinfo.sec.gov
Hyrizen Research, “RIA Email Security Audit: National Infrastructure Findings (2026),” March 2026. https://hyrizen.com/research/ria-email-security-audit-2026/
About This Report
This audit was conducted by Hyrizen as part of ongoing research into digital infrastructure gaps in regulated industries. Hyrizen does not sell email security products or managed IT services. This is the March 2026 edition. Hyrizen will repeat this audit annually.
Is your firm's infrastructure working against you?
This research covers email. Our audit covers everything else: schema, structured data, AI readability, and the signals that determine whether AI systems recommend your firm or ignore it.
