An independent cybersecurity review across the largest utilities in the United States — Fortune 500 electric and gas utilities serving tens of millions of customers including Duke Energy, Southern Company, and Dominion Energy — reveals a surprisingly wide range of results. These organizations handle sensitive customer and financial data at national scale, yet several show the same email-authentication gaps found at much smaller regional institutions.
Using data from audit.emailmenow.com, we evaluated each utility’s primary domain across email, website, and network security — including SPF, DKIM, DMARC, MTA-STS/TLS, and security headers.
In this national audit, scores ranged from 71% to 44% — 5 of 18 (28%) scored below 60%.
Cybersecurity Scores of Utilitys
Overall compliance scores from audit.emailmenow.com. Re-run any domain at the link to verify.
| Rank | Utility | Domain | Overall Score | Performance Level |
|---|---|---|---|---|
| 1 | CMS Energy | cmsenergy.com | 71% | Strong |
| 2 | American Electric Power | aep.com | 70% | Strong |
| 2 | Xcel Energy | xcelenergy.com | 70% | Strong |
| 4 | Entergy | entergy.com | 67% | Good |
| 5 | Dominion Energy | dominionenergy.com | 64% | Above Average |
| 5 | Exelon | exeloncorp.com | 64% | Above Average |
| 5 | FirstEnergy | firstenergycorp.com | 64% | Above Average |
| 5 | WEC Energy Group | wecenergygroup.com | 64% | Above Average |
| 5 | Consolidated Edison | coned.com | 64% | Above Average |
| 10 | CenterPoint Energy | centerpointenergy.com | 62% | Above Average |
| 11 | NextEra Energy | nexteraenergy.com | 60% | Above Average |
| 11 | PPL Corporation | pplweb.com | 60% | Above Average |
| 11 | Sempra | sempra.com | 60% | Above Average |
| 14 | PG&E | pge.com | 54% | Below Average |
| 14 | DTE Energy | dteenergy.com | 54% | Below Average |
| 16 | Edison International | edison.com | 50% | Below Average |
| 17 | Duke Energy | duke-energy.com | 44% | Weak |
| 17 | Southern Company | southerncompany.com | 44% | Weak |
What the Results Reveal
- Scores range from 71% (CMS Energy) down to 44% (Southern Company) — CMS Energy (71%), AEP (70%), and Xcel Energy (70%) lead the sector.
- Two of the nation’s largest IOUs — Duke Energy (44%) and Southern Company (44%) — score lowest in the field despite serving a combined 15+ million customers.
- The gap from top to bottom is 27 points — critical-infrastructure scale does not guarantee strong email hygiene.
- Without an enforced DMARC policy, criminals can spoof a utility’s own domain to phish customers about bills, shutoffs, or refund scams.
Why This Matters for Utilities
Electric and gas utilities are critical infrastructure subject to NERC CIP, state public-utility commission oversight, and heightened scrutiny after sector-wide ransomware incidents. Email authentication (SPF, DKIM, and an enforced DMARC policy) is the single highest-impact control against customer phishing, vendor impersonation, and business email compromise targeting grid operations and billing systems.
Check any utility’s posture at audit.emailmenow.com.
See also — related national audits
Recommendations
- Enforce DMARC (
p=reject), strict SPF (-all), and DKIM signing. - Add MTA-STS and website security headers.
- Adopt verified call-back procedures for any change to payment or wiring instructions, and train customer-facing staff.
Protect your organization. Run a free Instant Cybersecurity Audit at audit.emailmenow.com.
Contact EmailMeNow IT Consulting for help with critical-infrastructure email security hardening.
Source & methodology: Overall compliance scores from the free scan at audit.emailmenow.com — each domain checked for email authentication (SPF, DKIM, DMARC), transport security (MTA-STS/TLS), website security headers, and network security. Re-run any domain at the link to verify.