An independent cybersecurity review across the largest mortgage lenders in the United States — national retail and wholesale mortgage originators and servicers including Rocket Mortgage, United Wholesale Mortgage, and loanDepot — reveals a surprisingly wide range of results. These organizations handle sensitive customer and financial data at national scale, yet several show the same email-authentication gaps found at much smaller regional institutions.
Using data from audit.emailmenow.com, we evaluated each lender’s primary domain across email, website, and network security — including SPF, DKIM, DMARC, MTA-STS/TLS, and security headers.
In this national audit, scores ranged from 70% to 38% — 9 of 18 (50%) scored below 60%.
Cybersecurity Scores of Mortgage Lenders
Overall compliance scores from audit.emailmenow.com. Re-run any domain at the link to verify.
| Rank | Mortgage Lender | Domain | Overall Score | Performance Level |
|---|---|---|---|---|
| 1 | United Wholesale Mortgage | uwm.com | 70% | Strong |
| 2 | Better Mortgage | better.com | 68% | Good |
| 3 | Guild Mortgage | guildmortgage.com | 67% | Good |
| 4 | loanDepot | loandepot.com | 66% | Good |
| 5 | Movement Mortgage | movement.com | 64% | Above Average |
| 5 | Freedom Mortgage | freedommortgage.com | 64% | Above Average |
| 5 | Chase Home Lending | chase.com | 64% | Above Average |
| 8 | Guaranteed Rate | rate.com | 62% | Above Average |
| 9 | Mr. Cooper | mrcooper.com | 61% | Above Average |
| 10 | PennyMac | pennymac.com | 58% | Average |
| 11 | AmeriHome Mortgage | amerihome.com | 55% | Average |
| 12 | Fairway Independent | fairwaymc.com | 54% | Below Average |
| 12 | CrossCountry Mortgage | ccm.com | 54% | Below Average |
| 12 | Wells Fargo Home Mortgage | wellsfargo.com | 54% | Below Average |
| 15 | Caliber Home Loans | caliberhomeloans.com | 52% | Below Average |
| 16 | New American Funding | newamericafunding.com | 48% | Weak |
| 16 | Homepoint | homepoint.com | 48% | Weak |
| 18 | Rocket Mortgage | rocketmortgage.com | 38% | Weak |
What the Results Reveal
- Scores range from 70% (United Wholesale Mortgage) down to 38% (Rocket Mortgage) — only one major retail brand reaches a strong (70%+) posture.
- Rocket Mortgage (38%), the nation’s largest retail originator by volume, scores lowest in the field — well below wholesale leader UWM (70%).
- The gap from top to bottom is 32 points — household brand recognition does not predict closing-security posture.
- Without an enforced DMARC policy, criminals can spoof a lender’s own domain to send fraudulent wiring instructions during loan closings.
Why This Matters for Mortgage Lenders
Mortgage lenders and servicers are bound by CFPB mortgage rules, GLBA safeguards, and state licensing oversight. Email authentication (SPF, DKIM, and an enforced DMARC policy) is the single highest-impact control against closing wire fraud and business email compromise that redirect borrower funds at the last hour.
Check any lender’s posture at audit.emailmenow.com/?industry=real-estate.
See also — state audits
- Texas Real Estate Brokerages
- California Real Estate Brokerages
- Florida Real Estate Brokerages
- Illinois Real Estate Brokerages
- New York Real Estate Brokerages
- Pennsylvania Real Estate Brokerages
- Ohio Real Estate Brokerages
- Georgia Real Estate Brokerages
- Michigan Real Estate Brokerages
Recommendations
- Enforce DMARC (
p=reject), strict SPF (-all), and DKIM signing. - Add MTA-STS and website security headers.
- Adopt verified call-back procedures for any change to payment or wiring instructions, and train customer-facing staff.
Protect your organization. Run a free Instant Cybersecurity Audit at audit.emailmenow.com/?industry=real-estate.
Contact EmailMeNow IT Consulting for help with wire-fraud-resistant email security hardening.
Source & methodology: Overall compliance scores from the free scan at audit.emailmenow.com — each domain checked for email authentication (SPF, DKIM, DMARC), transport security (MTA-STS/TLS), website security headers, and network security. Re-run any domain at the link to verify.