An independent cybersecurity review across the largest auto dealership groups in the United States — national public and private dealership groups with hundreds of rooftops including AutoNation, Penske Automotive, and Lithia Motors — reveals a surprisingly wide range of results. These organizations handle sensitive customer and financial data at national scale, yet several show the same email-authentication gaps found at much smaller regional institutions.
Using data from audit.emailmenow.com, we evaluated each dealership group’s primary domain across email, website, and network security — including SPF, DKIM, DMARC, MTA-STS/TLS, and security headers.
In this national audit, scores ranged from 71% to 30% — 10 of 18 (56%) scored below 60%.
Cybersecurity Scores of Dealership Groups
Overall compliance scores from audit.emailmenow.com. Re-run any domain at the link to verify.
| Rank | Dealership Group | Domain | Overall Score | Performance Level |
|---|---|---|---|---|
| 1 | Penske Automotive | penskeautomotive.com | 71% | Strong |
| 2 | Lithia Motors | lithia.com | 70% | Strong |
| 3 | Holman | holman.com | 68% | Good |
| 3 | Rick Case Automotive | rickcase.com | 68% | Good |
| 5 | Larry H. Miller | lhm.com | 65% | Good |
| 6 | AutoNation | autonation.com | 64% | Above Average |
| 6 | Koons Automotive | koons.com | 64% | Above Average |
| 8 | Berkshire Hathaway Automotive | berkshirehathawayautomotive.com | 60% | Above Average |
| 9 | CarMax | carmax.com | 55% | Average |
| 10 | Morgan Auto Group | morganautogroup.com | 54% | Below Average |
| 11 | Group 1 Automotive | group1auto.com | 44% | Weak |
| 11 | Asbury Automotive | asburyauto.com | 44% | Weak |
| 11 | Ken Garff | kengarff.com | 44% | Weak |
| 11 | Napleton Automotive | napleton.com | 44% | Weak |
| 15 | Sonic Automotive | sonicautomotive.com | 38% | Weak |
| 15 | David Wilson Automotive | davidwilson.com | 38% | Weak |
| 17 | Hendrick Automotive | hendrickcars.com | 33% | Weak |
| 18 | Germain Motor | germainmotor.com | 30% | Weak |
What the Results Reveal
- Scores range from 71% (Penske Automotive) down to 30% (Germain Motor) — only three groups reach a strong (70%+) posture.
- 10 of 18 scored below 60% — Germain Motor (30%), Hendrick (33%), Sonic (38%), and David Wilson (38%) sit at the bottom despite national scale.
- Penske (71%) and Lithia (70%) lead, while several top-10 public groups cluster at 44% (Group 1, Asbury, Ken Garff, Napleton).
- Without an enforced DMARC policy, criminals can spoof a dealer group’s domain to phish customers about financing, trade-ins, or wire transfers.
Why This Matters for Auto Dealership Groups
Auto dealers are classified as financial institutions under the FTC Safeguards Rule. Email authentication (SPF, DKIM, and an enforced DMARC policy) is the single highest-impact control against customer finance phishing, F&I fraud, and business email compromise targeting deal jackets and lender portals.
Check any dealership group’s posture at audit.emailmenow.com/?industry=auto-dealers.
See also — state audits
- Texas Auto Dealerships
- California Auto Dealerships
- Florida Auto Dealerships
- Illinois Auto Dealerships
- New York Auto Dealerships
- Pennsylvania Auto Dealerships
- Ohio Auto Dealerships
- Georgia Auto Dealerships
- Michigan Auto Dealerships
Recommendations
- Enforce DMARC (
p=reject), strict SPF (-all), and DKIM signing. - Add MTA-STS and website security headers.
- Adopt verified call-back procedures for any change to payment or wiring instructions, and train customer-facing staff.
Protect your organization. Run a free Instant Cybersecurity Audit at audit.emailmenow.com/?industry=auto-dealers.
Contact EmailMeNow IT Consulting for help with FTC Safeguards-aligned email security hardening.
Source & methodology: Overall compliance scores from the free scan at audit.emailmenow.com — each domain checked for email authentication (SPF, DKIM, DMARC), transport security (MTA-STS/TLS), website security headers, and network security. Re-run any domain at the link to verify.