What percentage of top domains use DMARC?

83.4% of the 994 domains we scanned publish a DMARC record. However, not all are enforcing it—only 69.1% have a reject or quarantine policy, while 14.3% publish p=none (monitoring only, with no protection against spoofing).

How many websites enforce DMARC vs just monitor it?

Of all domains scanned, 48.1% use p=reject and 21.0% use p=quarantine—a combined 69.1% "enforced" stack. The remaining 14.3% use p=none, which sends reports but does not block spoofed mail. This means roughly one in seven domains publishes DMARC with no teeth.

Why do so few domains use MTA-STS?

Only 4.0% of the top 994 domains publish an MTA-STS policy, despite it being the standard for enforcing TLS on email transport since 2018. Adoption is likely low because the benefit is narrow (preventing downgrade attacks on trusted connections) and deployment requires DNS, policy files, and HTTPS—more overhead than SPF or DMARC alone.

What is the difference between SPF, DKIM and DMARC?

SPF authorizes sending servers by IP (Does this IP have permission to send from this domain?). DKIM signs messages cryptographically (Did this domain really create this message?). DMARC ties them together and tells receivers what to do if either fails (block it, quarantine it, or just log it). All three are needed for a robust defense.

Is publishing a DMARC record enough to stop spoofing?

Not without SPF and DKIM. DMARC requires at least one of them to pass alignment. If you publish DMARC p=reject but SPF is missing or broken, an attacker can still forge your domain—DMARC has nothing to authenticate. SPF and DKIM must be in place first.

← blog

State of Email Authentication 2026: we scanned 994 of the web's top domains

2026-06-24 · dmarc · spf · email · email-security · research

dmarcspfemailemail-securityresearch

On June 24, 2026, we scanned 994 of the web's most-visited domains for email authentication—and discovered a paradox: 83% publish DMARC, but only 69% enforce it, and fewer than 5% have adopted transport-layer security. Here's what we found.

What we measured

We conducted a snapshot survey of email authentication practices across 994 of the internet's highest-traffic domains using live DNS-over-HTTPS lookups via Cloudflare. The same checks power the Domain Posture dossier scanner, ensuring consistency with our production tooling.

A few caveats: this is a single snapshot from one vantage point (June 2026); DNS records change and policies evolve. We scanned all 994 domains equally, treating a parked domain the same as a major news outlet—both should publish SPF -all and DMARC p=reject to prevent spoofing. DKIM detection used only common selector names (selector1, default, google, etc.), so our 56.9% figure is a floor; custom selectors are undercounted. Percentages are calculated over all 994 domains scanned, not just the 892 with MX records.

The headline: authentication is common, enforcement less so

Email authentication is broadly adopted—but enforcement is not. 89.8% of domains publish SPF, yet the story splits sharply. Of those with SPF:

40.7% use a hard fail policy (-all), which blocks unauthenticated senders outright.
44.1% use a soft fail (~all), which does not block but logs violations.
Only 1.8% use neutral or pass (?all or +all).

DMARC adoption is similarly strong at 83.4%, but again, many domains do not enforce:

| Mechanism | Adoption | Notes | |-----------|----------|-------| | SPF present | 89.8% | 40.7% hard fail, 44.1% soft fail | | DMARC present | 83.4% | 69.1% enforced (reject or quarantine) | | DMARC p=reject | 48.1% | Strictest policy | | DMARC p=quarantine | 21.0% | Moderate enforcement | | DMARC p=none | 14.3% | Monitoring only—no protection | | DKIM detectable | 56.9% | Common selectors only (floor estimate) | | Full enforced stack | 68.3% | SPF present AND DMARC reject/quarantine | | MTA-STS policy | 4.0% | Transport security | | TLS-RPT record | 5.8% | Failure reporting |

The gap between p=reject (48.1%) and p=none (14.3%) is significant. A p=none policy sends reports but does not protect: receivers still deliver spoofed mail. For high-value domains—banks, news outlets, security vendors—this is a critical liability. Yet across the board, one in seven domains chooses monitoring without defense.

The transport-security layer is abandoned

If the DMARC story is bittersweet, the transport layer is bleak. Only 4.0% of the 994 domains we scanned publish an MTA-STS policy—that's 40 domains total. TLS-RPT adoption is slightly better at 5.8%, but still marginal.

MTA-STS enforces TLS encryption on email delivery and has been a standard since RFC 8461 (2018). It is not a replacement for DMARC—it protects the transport connection, not the message content. Yet most domains ignore it.

Who did adopt MTA-STS? Mailbox providers and security-focused companies: gmail.com, outlook.com, yahoo.com, fastmail.com, signal.org, google.com, microsoft.com, facebook.com, yubico.com, jetbrains.com, brave.com. These 11 represent 27.5% of the 40 MTA-STS-publishing domains in our scan. The rest are a long tail of smaller security vendors and privacy services.

The implication is stark: if you are not a mailbox provider or a security brand, you probably have not deployed MTA-STS. Broader adoption may require either regulatory pressure (like the incoming DMARC mandate) or higher sender reputation benefits in major inboxes.

Who does it best (and worst)

Email security maturity varies dramatically by industry. We grouped the 994 domains into four cohorts and measured adoption within each:

| Cohort | Domains | SPF % | DMARC Enforced % | p=reject % | MTA-STS % | |--------|---------|-------|------------------|------------|-----------| | Banks & fintech | 67 | 100% | 98.5% | 86.6% | 0% | | News & media | 65 | 95.4% | 75.4% | 47.7% | 4.6% | | AI labs | 18 | 100% | 88.9% | 27.8% | 0% | | Big Tech | 24 | 100% | 87.5% | 70.8% | 16.7% |

Banks and fintech are the gold standard. All 67 publish SPF, 98.5% enforce DMARC, and 86.6% use the strict p=reject policy. This makes sense: a spoofed email from a bank is a financial crime. Yet even with perfect SPF adoption, zero banks have deployed MTA-STS.

News organizations are the weakest link. Only 95.4% publish SPF (4.6% miss it entirely), and just 75.4% enforce DMARC. One in five publishes only p=none, leaving the From domain spoofable despite a published record. The cohort edges ahead of banks and AI labs on MTA-STS at 4.6%, but remains far behind Big Tech.

AI labs split the difference. All 18 we sampled publish SPF and most enforce DMARC (88.9%), but only 27.8% use p=reject—many prefer p=quarantine, a softer stance. This may reflect higher email volume or more lenient fraud tolerance. None have adopted MTA-STS.

Big Tech leads on transport security. 16.7% publish MTA-STS policies (four times the overall average), 100% publish SPF, and 87.5% enforce DMARC with 70.8% at p=reject. They balance security with scale.

What this means for your domain

If your domain sends email, publish these records in this order:

SPF with -all (hard fail). This blocks unauthenticated senders. If you use third-party email services, add them to your SPF record (e.g., include:sendgrid.net). Use -all at the end, not ~all.
DKIM with a strong selector. Sign every outbound message. Rotate selector names occasionally so you can deprecate old keys without breaking mail.
DMARC with p=reject. Do not start with p=none. Our data shows that 14.3% of domains publish p=none indefinitely—they get spoofed anyway, but without the protection that reject would provide. If you fear breaking legitimate mail, test first (use a subdomain policy or a filter percentage) and ramp to p=reject within 30 days.

If you need help auditing your domain, check your domain's DMARC record →. The scanner will tell you if SPF, DKIM, and DMARC are in place and whether your policies are enforced.

(Optional but recommended) MTA-STS. If you want to block downgrade attacks on TLS, publish an MTA-STS policy. Only 4% of domains do this, so it is not critical—but it is a signal of maturity. Start with max_age=86400 (one day) for testing, then increase to 604800 (one week) or higher once confirmed.

Deploy these in order. Do not skip to p=none and hope it improves. The data is clear: enforcement works, and the pain of a few broken email flows is worth the security gain.

Frequently asked questions

What percentage of top domains use DMARC?: 83.4% of the 994 domains we scanned publish a DMARC record. However, not all are enforcing it—only 69.1% have a reject or quarantine policy, while 14.3% publish p=none (monitoring only, with no protection against spoofing).
How many websites enforce DMARC vs just monitor it?: Of all domains scanned, 48.1% use p=reject and 21.0% use p=quarantine—a combined 69.1% "enforced" stack. The remaining 14.3% use p=none, which sends reports but does not block spoofed mail. This means roughly one in seven domains publishes DMARC with no teeth.
Why do so few domains use MTA-STS?: Only 4.0% of the top 994 domains publish an MTA-STS policy, despite it being the standard for enforcing TLS on email transport since 2018. Adoption is likely low because the benefit is narrow (preventing downgrade attacks on trusted connections) and deployment requires DNS, policy files, and HTTPS—more overhead than SPF or DMARC alone.
What is the difference between SPF, DKIM and DMARC?: SPF authorizes sending servers by IP (Does this IP have permission to send from this domain?). DKIM signs messages cryptographically (Did this domain really create this message?). DMARC ties them together and tells receivers what to do if either fails (block it, quarantine it, or just log it). All three are needed for a robust defense.
Is publishing a DMARC record enough to stop spoofing?: Not without SPF and DKIM. DMARC requires at least one of them to pass alignment. If you publish DMARC p=reject but SPF is missing or broken, an attacker can still forge your domain—DMARC has nothing to authenticate. SPF and DKIM must be in place first.