By Cargo / Liquids / Gas (Tanker)
Liquids / Gas (Tanker) Carriers — Email Security
70.9% of active liquids / gas (tanker) carrier domains have no enforced DMARC — leaving this segment open to email impersonation, payment-redirect fraud, and cargo theft via phishing.
No enforced DMARC
70.9%
national: 80.1%
p=reject
12.3%
national: 7.5%
Microsoft 365
42.6%
national: 38.1%
M365 + no DMARC (carriers)
4,076
national: 92,822
MTA-STS
4.4%
national: 3.3%
DNSSEC
5.2%
national: 6.1%
Dead domains
784
of 14,397 scanned
Total carriers
16,694
784 with dead domain
Risk bands — Liquids / Gas (Tanker) carriers
Carrier counts by risk band (composite email-security pain score). Critical = score 70+; Minimal = score <15.
| Risk band | Score range | Carriers | Domains |
|---|---|---|---|
| Critical | score 70+ | 1,054 | 981 |
| High | score 50–69 | 3,921 | 3,461 |
| Medium | score 30–49 | 6,808 | 5,863 |
| Low | score 15–29 | 3,900 | 3,108 |
| Minimal | score <15 | 227 | 200 |
Liquids / Gas (Tanker) vs. national average
What the Liquids / Gas (Tanker) numbers actually mean
Segment exposure framing. Liquids/gas tanker fleets handle high-value, environmentally sensitive cargo. A payment-redirect or load-redirect attack can also create regulatory liability for the shipper if the receiving party is not the intended consignee.
DMARC posture. The liquids / gas (tanker)segment's share of carrier domains with no enforced DMARC sits at 70.9% — better than the national average by 9.2 points. Liquids / Gas (Tanker) carriers adopt enforced p=reject DMARC at a meaningfully higher rate than the national pool. At the protective end of the distribution, 12.3% of segment domains are at p=reject — the only DMARC policy that actually instructs receivers to drop spoofed mail.
Microsoft 365 surface. Microsoft 365 mailflow adoption runs heavier than the national distribution, which is consequential — every M365 tenant already includes the controls needed to enforce DMARC, so the 4,076 M365 carriers in this segment with DMARC disabled are leaving paid-for protection switched off. That share is 24.4% of all liquids / gas (tanker) carriers — a one-flag-flip remediation set that segment-specific MSPs can clear in a single quarter without touching DNS infrastructure.
Transport encryption. MTA-STS adoption — the encrypted-transport policy that prevents DNS-downgrade interception — runs above the national rate, but the absolute floor is still under 9%, well short of where freight payment flows should sit. DNSSEC adoption across liquids / gas (tanker) carriers runs at 5.2% (vs 6.1% national).
Risk-band shape. Liquids / Gas (Tanker)'s critical-band share is 6.3% versus 8.4% nationally, with the pressure shifting into the high band (23.5% of segment carriers) where one or two control gaps still leave room for impersonation.
Best-practice control for this segment. Operators dispatching liquid/gas tanker loads should require DMARC-verified email and BSA/AML-grade payee verification before any wire authorization.
Compare Liquids / Gas (Tanker) with other cargo segments
Segments closest in carrier-count rank to Liquids / Gas (Tanker). Each is scored on the same DNS-derived control set, so the comparison is apples-to-apples.
See where your own domain stands
The research is free and self-serve. Run the same public checks on your own domain in about a minute — SPF, DKIM, DMARC, MTA-STS, DNSSEC, and more — and get a scored report by email. No agents, no credentials.
Data as of 2026-05-20 from public DNS measurements. Statistics are domain-weighted unless noted. Cargo segment membership is based on FMCSA Company Census cargo flags. Methodology: read the full index.