Email authentication at Big Tech: we scanned 24 of the giants
· dmarc · spf · email · email-security · big-tech · research
dmarcspfemailemail-securitybig-techresearchWe ran our dossier scanner against 24 of the world's largest technology companies to understand how seriously the giants take email authentication. The result: Big Tech is almost universally strong on the core layer (SPF, DMARC), and they're the only cohort we've tested that meaningfully adopts transport security (MTA-STS, TLS-RPT). Yet even here, a handful still operate in monitoring mode.
What we measured
On June 24, 2026, we queried live DNS-over-HTTPS (via Cloudflare) for email authentication records on 24 large technology companies, using the same checks that power Domain Posture's DMARC checker and dossier toolkit.
The cohort: Adobe, Alphabet, Amazon, AMD, Apple, Broadcom, Cisco, Dell, Facebook, Google, HP, IBM, Intel, Meta, Microsoft, Netflix, NVIDIA, Oracle, Qualcomm, Salesforce, Samsung, SAP, Sony, and TSMC.
All 24 had MX records (mail infrastructure in place). What follows is a snapshot; DNS records change. DKIM results are a floor — we only checked common selector names, so custom selectors are undercounted.
Strong on enforcement: SPF and DMARC across the board
Every single one of the 24 published SPF and DMARC records.
| Metric | Count | Percentage |
|--------|-------|-----------|
| SPF present | 24/24 | 100% |
| SPF with -all (hard fail) | 9/24 | 37.5% |
| SPF with ~all (soft fail) | 11/24 | 45.8% |
| DMARC present | 24/24 | 100% |
| DMARC at p=reject | 17/24 | 70.8% |
| DMARC at p=quarantine | 4/24 | 16.7% |
| DMARC at p=none | 3/24 | 12.5% |
| Enforced (reject + quarantine) | 21/24 | 87.5% |
| DMARC RUA reporting enabled | 24/24 | 100% |
| DKIM detectable at common selectors | 13/24 | 54.2% |
The companies operating at p=reject include (named from our findings): Google, Microsoft, Meta, Facebook, Adobe, Cisco, IBM, Netflix, NVIDIA, Oracle, Salesforce, SAP, Qualcomm, HP, Dell, Broadcom, and TSMC. These organizations have made the decision to actively reject email that fails authentication — the strongest posture.
The big tech advantage: transport-layer security
Where Big Tech really stands out is adoption of the advanced layer: MTA-STS and TLS-RPT.
- MTA-STS published: 4/24 (16.7%) — the highest adoption of any cohort we've tested.
- TLS-RPT published: 6/24 (25.0%) — also the highest.
MTA-STS (SMTP MTA Strict Transport Security) forces sending mail servers to use an encrypted connection and validate your mail server's certificate. It's a critical defense against downgrade attacks — an attacker can't intercept mail in transit by forcing an unencrypted connection. MTA-STS is still relatively rare in the wild, but Big Tech leads here.
The 4 companies with MTA-STS published: Facebook, Google, Microsoft, and Qualcomm.
TLS-RPT (TLS Reporting) is the reporting cousin — it tells you about TLS failures, so you know when attackers are trying (and failing) to downgrade your mail. Adoption at 25% is strong.
Even giants still monitor: the p=none outliers
Three companies in this cohort publish DMARC but operate in monitoring-only mode:
- intel.com
- samsung.com
- sony.com
All three have p=none, which means they've published a DMARC policy but don't enforce any action on failed email. Instead, they observe: the receiving servers send reports, and the company can watch what's happening without blocking anything. This is a safe first step for large organizations managing complex mail ecosystems, but it offers no protection — attackers can send email that passes through receivers' filters.
These three likely deployed DMARC to gather data before moving to p=reject or p=quarantine.
The takeaway: Big Tech sets the bar
87.5% of the companies we scanned enforce DMARC at p=reject or p=quarantine, and they're the only cohort meaningfully deploying MTA-STS and TLS-RPT. The bar they're setting is: strong authentication (SPF, DKIM, DMARC) + enforced policy + transport security.
Smaller organizations with serious security postures can — and should — match this. A domain doesn't need to be a Fortune 500 company to implement p=reject and publish MTA-STS.
Further reading
Frequently asked questions
- Do big tech companies use DMARC?
- Yes. All 24 we scanned publish DMARC records. 87.5% are enforced at p=reject or p=quarantine; 70.8% are at p=reject alone.
- What is MTA-STS and who uses it?
- MTA-STS (SMTP MTA Strict Transport Security) forces sending servers to encrypt the connection to your mail server. Only 4 in our Big Tech cohort deploy it: Facebook, Google, Microsoft, and Qualcomm — the highest adoption rate of any cohort we've tested.
- Why do some large companies still use p=none?
- p=none means the company publishes DMARC but doesn't enforce any action — they're in monitoring mode. Intel, Samsung, and Sony do this, likely to observe and refine policy before flipping to p=reject.
- Does Google use MTA-STS?
- Yes. Google is one of only 4 Big Tech companies with MTA-STS published.
- What's the difference between DMARC and MTA-STS?
- DMARC controls what receiving servers do with unauthenticated email (reject, quarantine, monitor). MTA-STS controls how sending servers connect to your mail server — it forces encryption and certificate validation.