An independent cybersecurity review across the largest airlines in the United States — major U.S. passenger carriers, regional operators, and cargo airlines including Delta, United, and American Airlines — reveals a surprisingly wide range of results. These organizations handle sensitive customer and financial data at national scale, yet several show the same email-authentication gaps found at much smaller regional institutions.
Using data from audit.emailmenow.com, we evaluated each airline’s primary domain across email, website, and network security — including SPF, DKIM, DMARC, MTA-STS/TLS, and security headers.
In this national audit, scores ranged from 77% to 51% — 5 of 17 (29%) scored below 60%.
Cybersecurity Scores of Airlines
Overall compliance scores from audit.emailmenow.com. Re-run any domain at the link to verify.
| Rank | Airline | Domain | Overall Score | Performance Level |
|---|---|---|---|---|
| 1 | Sun Country Airlines | suncountry.com | 77% | Strong |
| 2 | UPS Airlines | ups.com | 72% | Strong |
| 3 | Delta Air Lines | delta.com | 70% | Strong |
| 3 | JetBlue Airways | jetblue.com | 70% | Strong |
| 3 | Hawaiian Airlines | hawaiianairlines.com | 70% | Strong |
| 3 | Envoy Air | envoyair.com | 70% | Strong |
| 3 | FedEx Express | fedex.com | 70% | Strong |
| 8 | Alaska Airlines | alaskaair.com | 65% | Good |
| 9 | American Airlines | aa.com | 64% | Above Average |
| 10 | United Airlines | united.com | 60% | Above Average |
| 10 | Southwest Airlines | southwest.com | 60% | Above Average |
| 10 | Frontier Airlines | flyfrontier.com | 60% | Above Average |
| 13 | Spirit Airlines | spirit.com | 54% | Below Average |
| 13 | Breeze Airways | flybreeze.com | 54% | Below Average |
| 15 | Allegiant Air | allegiantair.com | 53% | Below Average |
| 16 | Republic Airways | rjet.com | 52% | Below Average |
| 17 | SkyWest | skywest.com | 51% | Below Average |
What the Results Reveal
- Scores range from 77% (Sun Country Airlines) down to 51% (SkyWest) — 7 airlines reach a strong (70%+) posture.
- Sun Country (77%) and UPS Airlines (72%) lead the field, while several legacy network carriers cluster at 60–64%.
- Ultra-low-cost carriers Allegiant (53%), Spirit (54%), and Breeze (54%) trail the majors on basic email authentication.
- Without an enforced DMARC policy, criminals can spoof an airline’s own domain to phish customers about itinerary changes, refunds, or loyalty redemptions.
Why This Matters for Airlines
Airlines process millions of customer records, loyalty accounts, and payment transactions under DOT, TSA, and PCI obligations. Email authentication (SPF, DKIM, and an enforced DMARC policy) is the single highest-impact control against booking phishing, loyalty fraud, and business email compromise targeting crews and corporate travel accounts.
Check any airline’s posture at audit.emailmenow.com.
See also — related national audits
Recommendations
- Enforce DMARC (
p=reject), strict SPF (-all), and DKIM signing. - Add MTA-STS and website security headers.
- Adopt verified call-back procedures for any change to payment or wiring instructions, and train customer-facing staff.
Protect your organization. Run a free Instant Cybersecurity Audit at audit.emailmenow.com.
Contact EmailMeNow IT Consulting for help with customer-trust email security hardening.
Source & methodology: Overall compliance scores from the free scan at audit.emailmenow.com — each domain checked for email authentication (SPF, DKIM, DMARC), transport security (MTA-STS/TLS), website security headers, and network security. Re-run any domain at the link to verify.