By Cargo / Large Machinery
Large Machinery Carriers — Email Security
78.1% of active large machinery carrier domains have no enforced DMARC — leaving this segment open to email impersonation, payment-redirect fraud, and cargo theft via phishing.
No enforced DMARC
78.1%
national: 80.1%
p=reject
8.7%
national: 7.5%
Microsoft 365
40.6%
national: 38.1%
M365 + no DMARC (carriers)
17,450
national: 92,822
MTA-STS
3.8%
national: 3.3%
DNSSEC
5.1%
national: 6.1%
Dead domains
3,284
of 60,133 scanned
Total carriers
70,561
3,288 with dead domain
Risk bands — Large Machinery carriers
Carrier counts by risk band (composite email-security pain score). Critical = score 70+; Minimal = score <15.
| Risk band | Score range | Carriers | Domains |
|---|---|---|---|
| Critical | score 70+ | 5,569 | 5,021 |
| High | score 50–69 | 20,209 | 17,213 |
| Medium | score 30–49 | 28,654 | 24,456 |
| Low | score 15–29 | 12,193 | 9,636 |
| Minimal | score <15 | 648 | 523 |
Large Machinery vs. national average
What the Large Machinery numbers actually mean
Segment exposure framing. Large machinery freight has long lead times, oversized permits, and project-tied schedules — the cost of a load-redirect attack is the project delay, not just the freight value.
DMARC posture. The large machinerysegment's share of carrier domains with no enforced DMARC sits at 78.1% — better than the national average by 2.0 points. Large Machinery carriers adopt enforced p=reject DMARC at a meaningfully higher rate than the national pool. At the protective end of the distribution, 8.7% of segment domains are at p=reject — the only DMARC policy that actually instructs receivers to drop spoofed mail.
Microsoft 365 surface. Microsoft 365 mailflow adoption runs heavier than the national distribution, which is consequential — every M365 tenant already includes the controls needed to enforce DMARC, so the 17,450 M365 carriers in this segment with DMARC disabled are leaving paid-for protection switched off. That share is 24.7% of all large machinery carriers — a one-flag-flip remediation set that segment-specific MSPs can clear in a single quarter without touching DNS infrastructure.
Transport encryption. MTA-STS adoption sits at 3.8%, materially below the threshold a freight payment-redirect attacker would have to clear to be inconvenienced by transport-layer policy. DNSSEC adoption across large machinery carriers runs at 5.1% (vs 6.1% national).
Risk-band shape. Large Machinery's critical and high bands combine to 36.5% of segment carriers — close to the national distribution, meaning remediation prioritization here should follow the same shape as the national program.
Best-practice control for this segment. Industrial shippers moving large machinery should bake DMARC verification into vendor-onboarding alongside permit and insurance verification.
Compare Large Machinery with other cargo segments
Segments closest in carrier-count rank to Large Machinery. Each is scored on the same DNS-derived control set, so the comparison is apples-to-apples.
See where your own domain stands
The research is free and self-serve. Run the same public checks on your own domain in about a minute — SPF, DKIM, DMARC, MTA-STS, DNSSEC, and more — and get a scored report by email. No agents, no credentials.
Data as of 2026-05-20 from public DNS measurements. Statistics are domain-weighted unless noted. Cargo segment membership is based on FMCSA Company Census cargo flags. Methodology: read the full index.