An independent cybersecurity review across 103 S&P 100 index constituents — the largest U.S. public companies by market capitalization — reveals a wide spread in email-authentication posture. Household names from Apple, Microsoft, and NVIDIA to Berkshire Hathaway, JPMorgan Chase, and Walmart were evaluated on primary corporate domains.
Using data from audit.emailmenow.com, we scored each company’s primary domain across email, website, and network security — SPF, DKIM, DMARC, MTA-STS/TLS, and security headers.
In this national audit, scores ranged from 86% to 38% — 29 of 103 (28%) scored 70% or above; 32 scored below 60%.
Cybersecurity Scores of S&P 100 Companies
Overall compliance scores from audit.emailmenow.com. Re-run any domain at the link to verify.
| Rank | Company | Domain | Overall Score | Website Score | Performance Level |
|---|---|---|---|---|---|
| 1 | Linde | linde.com | 86% | 100% | Strong |
| 1 | Micron Technology | micron.com | 86% | 100% | Strong |
| 3 | Accenture | accenture.com | 85% | 92% | Strong |
| 4 | 3M | 3m.com | 84% | 92% | Good |
| 5 | Costco | costco.com | 74% | 45% | Good |
| 5 | Adobe | adobe.com | 74% | 45% | Good |
| 5 | Abbott Laboratories | abbott.com | 74% | 92% | Good |
| 5 | Eaton | eaton.com | 74% | 45% | Good |
| 5 | Marriott International | marriott.com | 74% | 45% | Good |
| 5 | S&P Global | spglobal.com | 74% | 45% | Good |
| 11 | Microsoft | microsoft.com | 73% | 45% | Good |
| 12 | Amgen | amgen.com | 72% | 45% | Good |
| 12 | UPS | ups.com | 72% | 45% | Good |
| 14 | Berkshire Hathaway | berkshirehathaway.com | 71% | 70% | Good |
| 14 | Palo Alto Networks | paloaltonetworks.com | 71% | 45% | Good |
| 14 | Applied Materials | appliedmaterials.com | 71% | 45% | Good |
| 17 | Exxon Mobil | exxonmobil.com | 70% | 45% | Good |
| 17 | Philip Morris | pmi.com | 70% | 45% | Good |
| 17 | Boeing | boeing.com | 70% | 45% | Good |
| 17 | Caterpillar | cat.com | 70% | 45% | Good |
| 17 | T-Mobile US | t-mobile.com | 70% | 45% | Good |
| 17 | Charles Schwab | schwab.com | 70% | 45% | Good |
| 17 | Booking Holdings | booking.com | 70% | 45% | Good |
| 17 | Medtronic | medtronic.com | 70% | 45% | Good |
| 17 | Lockheed Martin | lockheedmartin.com | 70% | 45% | Good |
| 17 | Automatic Data Processing | adp.com | 70% | 45% | Good |
| 17 | Intuitive Surgical | intuitive.com | 70% | 45% | Good |
| 17 | Intuit | intuit.com | 70% | 45% | Good |
| 17 | FedEx | fedex.com | 70% | 45% | Good |
| 30 | Johnson & Johnson | jnj.com | 68% | 45% | Above Average |
| 30 | Netflix | netflix.com | 68% | 45% | Above Average |
| 30 | AMD | amd.com | 68% | 92% | Above Average |
| 30 | Pfizer | pfizer.com | 68% | 45% | Above Average |
| 34 | JPMorgan Chase | jpmorganchase.com | 67% | 45% | Above Average |
| 35 | Tesla | tesla.com | 66% | 45% | Above Average |
| 36 | UnitedHealth Group | unitedhealthgroup.com | 65% | 45% | Above Average |
| 36 | Procter & Gamble | pg.com | 65% | 45% | Above Average |
| 36 | RTX (Raytheon) | rtx.com | 65% | 45% | Above Average |
| 39 | Coca-Cola | coca-colacompany.com | 64% | 45% | Above Average |
| 39 | Texas Instruments | ti.com | 64% | 45% | Above Average |
| 39 | IBM | ibm.com | 64% | 45% | Above Average |
| 39 | Starbucks | starbucks.com | 64% | 45% | Above Average |
| 39 | Qualcomm | qualcomm.com | 64% | 45% | Above Average |
| 39 | American Express | americanexpress.com | 64% | 45% | Above Average |
| 39 | Mondelez | mondelezinternational.com | 64% | 45% | Above Average |
| 39 | Boston Scientific | bostonscientific.com | 64% | 45% | Above Average |
| 39 | Deere & Company | deere.com | 64% | 45% | Above Average |
| 39 | Danaher | danaher.com | 64% | 45% | Above Average |
| 39 | CME Group | cmegroup.com | 64% | 45% | Above Average |
| 50 | Broadcom | broadcom.com | 63% | 45% | Above Average |
| 50 | Honeywell | honeywell.com | 63% | 45% | Above Average |
| 50 | TJX Companies | tjx.com | 63% | 45% | Above Average |
| 50 | Colgate-Palmolive | colgatepalmolive.com | 63% | 45% | Above Average |
| 54 | Salesforce | salesforce.com | 62% | 45% | Above Average |
| 54 | Stryker | stryker.com | 62% | 45% | Above Average |
| 56 | Comcast | comcast.com | 61% | 45% | Above Average |
| 57 | NVIDIA | nvidia.com | 60% | 45% | Above Average |
| 57 | Mastercard | mastercard.com | 60% | 45% | Above Average |
| 57 | Walmart | walmart.com | 60% | 45% | Above Average |
| 57 | Home Depot | homedepot.com | 60% | 45% | Above Average |
| 57 | Merck | merck.com | 60% | 45% | Above Average |
| 57 | PepsiCo | pepsico.com | 60% | 45% | Above Average |
| 57 | Nike | nike.com | 60% | 45% | Above Average |
| 57 | CVS Health | cvshealth.com | 60% | 45% | Above Average |
| 57 | Lowe’s | lowes.com | 60% | 45% | Above Average |
| 57 | AT&T | att.com | 60% | 45% | Above Average |
| 57 | NextEra Energy | nexteraenergy.com | 60% | 45% | Above Average |
| 57 | General Motors | gm.com | 60% | 45% | Above Average |
| 57 | Ford Motor | ford.com | 60% | 45% | Above Average |
| 57 | Target | target.com | 60% | 45% | Above Average |
| 57 | Chubb | chubb.com | 60% | 45% | Above Average |
| 72 | Oracle | oracle.com | 58% | 45% | Average |
| 73 | Alphabet (Google) | google.com | 57% | 45% | Average |
| 74 | Amazon | amazon.com | 56% | 45% | Average |
| 74 | Verizon | verizon.com | 56% | 45% | Average |
| 74 | Bank of America | bankofamerica.com | 56% | 45% | Average |
| 77 | BlackRock | blackrock.com | 55% | 45% | Average |
| 77 | ServiceNow | servicenow.com | 55% | 45% | Average |
| 77 | Gilead Sciences | gilead.com | 55% | 45% | Average |
| 80 | Apple | apple.com | 54% | 45% | Average |
| 80 | Visa | visa.com | 54% | 45% | Average |
| 80 | AbbVie | abbvie.com | 54% | 45% | Average |
| 80 | Cisco | cisco.com | 54% | 45% | Average |
| 80 | Walt Disney | disney.com | 54% | 45% | Average |
| 80 | Union Pacific | up.com | 54% | 45% | Average |
| 80 | Goldman Sachs | goldmansachs.com | 54% | 45% | Average |
| 80 | Morgan Stanley | morganstanley.com | 54% | 45% | Average |
| 80 | Uber | uber.com | 54% | 45% | Average |
| 80 | General Dynamics | gd.com | 54% | 45% | Average |
| 80 | HCA Healthcare | hcahealthcare.com | 54% | 45% | Average |
| 80 | Wells Fargo | wellsfargo.com | 54% | 45% | Average |
| 80 | Marsh & McLennan | marshmclennan.com | 54% | 45% | Average |
| 93 | Eli Lilly | lilly.com | 52% | 45% | Average |
| 94 | Vertex Pharmaceuticals | vrtx.com | 51% | 70% | Average |
| 95 | ConocoPhillips | conocophillips.com | 50% | 45% | Average |
| 95 | Citigroup | citi.com | 50% | 45% | Average |
| 97 | Chevron | chevron.com | 48% | 45% | Below Average |
| 97 | Progressive | progressive.com | 48% | 45% | Below Average |
| 99 | Meta Platforms | meta.com | 44% | 45% | Below Average |
| 99 | Southern Company | southerncompany.com | 44% | 45% | Below Average |
| 99 | Duke Energy | duke-energy.com | 44% | 45% | Below Average |
| 102 | McDonald’s | mcdonalds.com | 42% | 45% | Below Average |
| 103 | Thermo Fisher Scientific | thermofisher.com | 38% | 45% | Weak |
Website Security Scores
Scores ranged from 100% to 45%; 2 of 103 reached the 100% ideal and 95 scored below 60%.
| Rank | Company | Domain | Website Score | Rating |
|---|---|---|---|---|
| 1 | Linde | linde.com | 100% | Strong |
| 1 | Micron Technology | micron.com | 100% | Strong |
| 3 | Accenture | accenture.com | 92% | Strong |
| 3 | 3M | 3m.com | 92% | Strong |
| 3 | Abbott Laboratories | abbott.com | 92% | Strong |
| 3 | AMD | amd.com | 92% | Strong |
| 7 | Berkshire Hathaway | berkshirehathaway.com | 70% | Good |
| 7 | Vertex Pharmaceuticals | vrtx.com | 70% | Good |
| 9 | Costco | costco.com | 45% | Below Average |
| 9 | Adobe | adobe.com | 45% | Below Average |
| 9 | Eaton | eaton.com | 45% | Below Average |
| 9 | Marriott International | marriott.com | 45% | Below Average |
| 9 | S&P Global | spglobal.com | 45% | Below Average |
| 9 | Microsoft | microsoft.com | 45% | Below Average |
| 9 | Amgen | amgen.com | 45% | Below Average |
| 9 | UPS | ups.com | 45% | Below Average |
| 9 | Palo Alto Networks | paloaltonetworks.com | 45% | Below Average |
| 9 | Applied Materials | appliedmaterials.com | 45% | Below Average |
| 9 | Exxon Mobil | exxonmobil.com | 45% | Below Average |
| 9 | Philip Morris | pmi.com | 45% | Below Average |
| 9 | Boeing | boeing.com | 45% | Below Average |
| 9 | Caterpillar | cat.com | 45% | Below Average |
| 9 | T-Mobile US | t-mobile.com | 45% | Below Average |
| 9 | Charles Schwab | schwab.com | 45% | Below Average |
| 9 | Booking Holdings | booking.com | 45% | Below Average |
| 9 | Medtronic | medtronic.com | 45% | Below Average |
| 9 | Lockheed Martin | lockheedmartin.com | 45% | Below Average |
| 9 | Automatic Data Processing | adp.com | 45% | Below Average |
| 9 | Intuitive Surgical | intuitive.com | 45% | Below Average |
| 9 | Intuit | intuit.com | 45% | Below Average |
| 9 | FedEx | fedex.com | 45% | Below Average |
| 9 | Johnson & Johnson | jnj.com | 45% | Below Average |
| 9 | Netflix | netflix.com | 45% | Below Average |
| 9 | Pfizer | pfizer.com | 45% | Below Average |
| 9 | JPMorgan Chase | jpmorganchase.com | 45% | Below Average |
| 9 | Tesla | tesla.com | 45% | Below Average |
| 9 | UnitedHealth Group | unitedhealthgroup.com | 45% | Below Average |
| 9 | Procter & Gamble | pg.com | 45% | Below Average |
| 9 | RTX (Raytheon) | rtx.com | 45% | Below Average |
| 9 | Coca-Cola | coca-colacompany.com | 45% | Below Average |
| 9 | Texas Instruments | ti.com | 45% | Below Average |
| 9 | IBM | ibm.com | 45% | Below Average |
| 9 | Starbucks | starbucks.com | 45% | Below Average |
| 9 | Qualcomm | qualcomm.com | 45% | Below Average |
| 9 | American Express | americanexpress.com | 45% | Below Average |
| 9 | Mondelez | mondelezinternational.com | 45% | Below Average |
| 9 | Boston Scientific | bostonscientific.com | 45% | Below Average |
| 9 | Deere & Company | deere.com | 45% | Below Average |
| 9 | Danaher | danaher.com | 45% | Below Average |
| 9 | CME Group | cmegroup.com | 45% | Below Average |
| 9 | Broadcom | broadcom.com | 45% | Below Average |
| 9 | Honeywell | honeywell.com | 45% | Below Average |
| 9 | TJX Companies | tjx.com | 45% | Below Average |
| 9 | Colgate-Palmolive | colgatepalmolive.com | 45% | Below Average |
| 9 | Salesforce | salesforce.com | 45% | Below Average |
| 9 | Stryker | stryker.com | 45% | Below Average |
| 9 | Comcast | comcast.com | 45% | Below Average |
| 9 | NVIDIA | nvidia.com | 45% | Below Average |
| 9 | Mastercard | mastercard.com | 45% | Below Average |
| 9 | Walmart | walmart.com | 45% | Below Average |
| 9 | Home Depot | homedepot.com | 45% | Below Average |
| 9 | Merck | merck.com | 45% | Below Average |
| 9 | PepsiCo | pepsico.com | 45% | Below Average |
| 9 | Nike | nike.com | 45% | Below Average |
| 9 | CVS Health | cvshealth.com | 45% | Below Average |
| 9 | Lowe’s | lowes.com | 45% | Below Average |
| 9 | AT&T | att.com | 45% | Below Average |
| 9 | NextEra Energy | nexteraenergy.com | 45% | Below Average |
| 9 | General Motors | gm.com | 45% | Below Average |
| 9 | Ford Motor | ford.com | 45% | Below Average |
| 9 | Target | target.com | 45% | Below Average |
| 9 | Chubb | chubb.com | 45% | Below Average |
| 9 | Oracle | oracle.com | 45% | Below Average |
| 9 | Alphabet (Google) | google.com | 45% | Below Average |
| 9 | Amazon | amazon.com | 45% | Below Average |
| 9 | Verizon | verizon.com | 45% | Below Average |
| 9 | Bank of America | bankofamerica.com | 45% | Below Average |
| 9 | BlackRock | blackrock.com | 45% | Below Average |
| 9 | ServiceNow | servicenow.com | 45% | Below Average |
| 9 | Gilead Sciences | gilead.com | 45% | Below Average |
| 9 | Apple | apple.com | 45% | Below Average |
| 9 | Visa | visa.com | 45% | Below Average |
| 9 | AbbVie | abbvie.com | 45% | Below Average |
| 9 | Cisco | cisco.com | 45% | Below Average |
| 9 | Walt Disney | disney.com | 45% | Below Average |
| 9 | Union Pacific | up.com | 45% | Below Average |
| 9 | Goldman Sachs | goldmansachs.com | 45% | Below Average |
| 9 | Morgan Stanley | morganstanley.com | 45% | Below Average |
| 9 | Uber | uber.com | 45% | Below Average |
| 9 | General Dynamics | gd.com | 45% | Below Average |
| 9 | HCA Healthcare | hcahealthcare.com | 45% | Below Average |
| 9 | Wells Fargo | wellsfargo.com | 45% | Below Average |
| 9 | Marsh & McLennan | marshmclennan.com | 45% | Below Average |
| 9 | Eli Lilly | lilly.com | 45% | Below Average |
| 9 | ConocoPhillips | conocophillips.com | 45% | Below Average |
| 9 | Citigroup | citi.com | 45% | Below Average |
| 9 | Chevron | chevron.com | 45% | Below Average |
| 9 | Progressive | progressive.com | 45% | Below Average |
| 9 | Meta Platforms | meta.com | 45% | Below Average |
| 9 | Southern Company | southerncompany.com | 45% | Below Average |
| 9 | Duke Energy | duke-energy.com | 45% | Below Average |
| 9 | McDonald’s | mcdonalds.com | 45% | Below Average |
| 9 | Thermo Fisher Scientific | thermofisher.com | 45% | Below Average |
What the Results Reveal
- Linde (86%), Micron Technology (86%), Accenture (85%) lead the index on combined cybersecurity posture; Thermo Fisher Scientific (38%) trails the field.
- Website headers lag identity controls: only 2 domains reached the 100% ideal on website security; 95 scored below 60% (HSTS, CSP, clickjacking protection).
- Cybersecurity vendors are not uniformly top-ranked: Palo Alto Networks (71%) ranks mid-pack despite being a security-first brand — configuration gaps persist even at companies that sell firewalls and email protection.
- Mega-cap technology names show mixed results: Micron (86%) ranks near the top while Meta (44%), Alphabet (57%), and Apple (54%) sit well below the index leaders — enormous market cap does not guarantee strong domain hygiene.
- 32 companies scored below 60% — a range where spoofed executive communications, vendor-payment fraud, and credential phishing remain realistic threats.
- Investors, vendors, and enterprise customers should verify DMARC enforcement, MTA-STS, and website hardening on any domain used for billing, wire instructions, or account recovery.
Attack exposure at the bottom of the index
Domains scoring near 38% combine weak identity enforcement, missing inbound transport protections, and sub-60% website hardening. Without naming specific constituents, organizations in that tier are disproportionately exposed to:
- Business email compromise (BEC) — spoofed messages appearing to come from executives or accounts payable, used to redirect wires, ACH payments, and investor-relations transfers.
- Brand impersonation phishing — fake billing, HR, benefits, and vendor notices that pass visual inspection because DMARC and SPF are not fully enforced.
- Credential harvesting — login pages linked from forged
@company.commail aimed at employees, contractors, customers, and retail shareholders. - Invoice and procurement fraud — altered payment instructions sent to finance teams and supply-chain partners who trust the corporate domain.
- Account-recovery abuse — password-reset and MFA prompts triggered from impersonated sender addresses.
- Inbound mail downgrade attacks — absence of enforced MTA-STS allows opportunistic TLS stripping on messages destined for the organization.
- Clickjacking and session risks — missing HSTS, CSP, and frame protections on the public site increase browser-side attack surface for visitors and logged-in users.
- Supply-chain targeting — partners who whitelist the domain for deliverability become secondary victims when spoofed mail originates unchecked.
- Header gaps at scale — 95 of 103 domains scored below 60% on website security in this audit. Clickjacking and session risks are not confined to the bottom tier; many mid-pack names share the same 45% website floor.
These are not theoretical edge cases. State breach portals and FBI IC3 reporting consistently tie weak email authentication and header gaps to measurable financial loss at large enterprises.
Real attacks, told as stories
The stories below are made up, but they are based on real crimes that police and cybersecurity teams see every year. No S&P 100 company is named. Each story shows how weak domain settings can hurt real people — employees, vendors, investors, and job seekers who interact with America’s largest public companies.
Story 1: Maria and the payment that was not real

Maria works in accounts payable at Heartland Components, a parts supplier on the approved vendor list of a Fortune 100 manufacturer.
On a Tuesday morning, she gets an email that looks normal:
From: accounts-payable@bigbrand.com
Subject: New bank info for March invoices
The logo looks right. The tone sounds like past emails from procurement. A PDF lists a new routing number.
Maria does not know that bigbrand.com has weak email security. A stranger sent the message from their own server and pretended to be the big brand. That is called brand impersonation.
She approves a $284,000 wire. The money goes to the attacker, not the real company.
The next day, the same fake sender emails two more suppliers Maria knows from industry conferences. One ignores it. One also changes bank details. That is supply-chain targeting — hurting partners by faking the main company’s name.
Attack vectors in this story: brand impersonation · invoice and procurement fraud · supply-chain targeting · business email compromise (BEC)
Simple fix: Strict DMARC (p=reject), SPF (-all), and a rule that every bank change needs a phone call to a known contact — not just email.
Story 2: Jordan clicks “reset password”

Jordan is a regional operations manager at a Dow-component industrial. On Wednesday at 2 p.m., his phone buzzes:
From: it-security@bigbrand.com
Subject: Reset your password in 2 hours or lose access
Jordan is busy. The email looks like IT mail he has seen before. He clicks the link.
The page looks like his company login. It is not. It is a copy on a similar-looking website (bigbrand-secure.com). He types his username and password. The attacker saves them.
This is account-recovery abuse and credential harvesting. The criminal used a fake “reset your account” message because people trust mail from @company.com.
That night, the attacker signs into Jordan’s mailbox and reads old threads about a possible acquisition. On Thursday, they email the CFO’s assistant:
From: cfo@bigbrand.com
Subject: Urgent — confidential wire for escrow
That is BEC — business email compromise. The assistant almost approves it. A bookkeeper asks, “Did you talk to the CFO on the phone?” The wire stops. Jordan still has to change every password he reused.
Attack vectors in this story: account-recovery abuse · credential harvesting · business email compromise (BEC)
Simple fix: DMARC p=reject, train staff that IT will never rush a reset by email alone, and require a callback before any wire.
Story 3: The contract email no one knew could be copied

Priya is outside counsel closing an acquisition for a public S&P 100 company. She emails a draft purchase agreement to her client’s inbox at @bigbrand.com. The send button works. Her screen says Delivered.
What Priya cannot see: on part of the internet path, the mail server connection was downgraded from locked (TLS) to unlocked. Without MTA-STS set to mode=enforce, her client’s mail system still accepts the message. An attacker on that path can copy attachment text in plain form.
This is an inbound mail downgrade attack. Most people worry about fake outgoing email. MTA-STS protects incoming mail — mail sent to your company.
Priya’s IT contact sees green checkmarks in their dashboard. Nothing looks wrong. Weeks later, a rival bidder seems to know price terms early. The leak might have started on the wire, not in someone’s inbox.
Attack vector in this story: inbound mail downgrade (no MTA-STS)
Simple fix: Publish MTA-STS in enforce mode and turn on TLS-RPT reports so IT gets alerted when encryption fails.
Story 4: Alex applies for a job online

Alex is a college senior. He is already logged into his school portal in one browser tab. In another tab, he opens a job post: “Big Brand — analyst role, fast track.”
The site asks him to “confirm your profile” on what looks like the real company careers page. He clicks.
He does not know the page is a trap. The real login screen is hidden inside an invisible frame on a scam site. That trick is called clickjacking. The company’s website scored 45% on security headers — the same floor shared by 95 other S&P 100 domains in this audit, including several trillion-dollar brands missing strong HSTS, CSP, and frame blocking.
Alex thinks he is on the real site. He is really interacting with a layer the attacker controls. If he had been logged into the company’s vendor portal in another tab, the same trick could hijack that session.
No phishing email was needed. The attack lived on the website, not in the inbox.
Attack vectors in this story: clickjacking · session risks (missing HSTS/CSP)
Simple fix: Add HSTS, Content-Security-Policy, and frame-ancestors / X-Frame-Options so login pages cannot be embedded on random sites.
How the stories connect
All four stories can hit one company with a weak audit score (near 38%):
| Story | Who got hurt | Main gap |
|---|---|---|
| Maria (supplier) | Outside partners | Fake mail from your domain |
| Jordan (employee) | Inside staff | Fake password-reset mail |
| Priya (lawyer) | Confidential data in transit | Incoming mail not forced to stay encrypted |
| Alex (job seeker) | Website visitors | Login page can be framed by attackers |
Together, that is not one bug — it is a pattern. Fixing it means better DNS (DMARC, MTA-STS), better website headers, and better office rules (call back before you wire).
Website stack highlights
A July 2026 passive website-stack check of S&P 100 domains found two public CMS signals worth calling out (most large brands hide versions behind CDNs/WAFs):
| Company | Domain | What we found |
|---|---|---|
| Merck | merck.com | WordPress core behind current — running 6.8.5 while wordpress.org lists 7.0.1 |
| Pfizer | pfizer.com | Drupal major version behind — public site reports Drupal 10; current major release is Drupal 11 |
These are public hygiene signals, not proof of a breach. They sit alongside the email-auth gaps already scored above — another reason corporate domains remain attractive phishing and supply-chain targets.
Why This Matters
S&P 100 companies process payroll, benefits, investor communications, and supply-chain payments at national scale. A spoofable corporate domain is a direct path to business email compromise (BEC), fraudulent wire transfers, and credential phishing aimed at employees and customers.
Check any company’s posture at audit.emailmenow.com.
See also — national audits
- Nasdaq 100 Companies
- Major U.S. Banks
- Investment Firms
- Elon Musk Companies & Domains
- National audit hub
Recommendations
- Enforce DMARC (
p=reject), strict SPF (-all), and DKIM on all outbound mail domains. - Publish MTA-STS in enforce mode and harden website security headers on primary and subsidiary domains.
- Require verified call-back for wire and ACH changes initiated by email.
- Benchmark subsidiary and acquisition domains separately — many index members operate multiple customer-facing brands.
Methodology: Primary corporate domains for S&P 100 constituents audited 2026-06-14 via audit.emailmenow.com.