DMARC adoption at 62.5% across top 10K domains. Original research study analyzing SPF, DKIM, MTA-STS, BIMI, and DANE adoption.
As of February 2026, 62.5% of the top 10,000 domains have adopted DMARC, but only 46% enforce policies that protect against spoofing. Despite Google and Yahoo's authentication mandates implemented in 2024, 37.5% of high-traffic domains remain vulnerable to email fraud.
This study analyzes email authentication adoption across 10,000 domains from the Tranco Top Sites List, covering six core protocols: DMARC, SPF, DKIM, MTA-STS, BIMI, and DANE/TLSA. Data was collected February 25, 2026, using DMARCguard's scanner.
According to the FBI IC3 2024 Annual Report, Business Email Compromise (BEC) losses reached $2.77 billion across 21,442 incidents. Email authentication protocols like DMARC reduce this attack surface by verifying sender identity before messages reach inboxes.
For actionable guidance on implementing these protocols, read our guide on how to fix DMARC failures.
Tranco Top Sites List (Version 1M, February 2026). 10,000 domains sampled from the top 1 million by web traffic rank. DNS queries via Cloudflare resolver (1.1.1.1).
DMARCguard's scanner (parse-dmarc) performed DNS and HTTPS-based protocol detection for DMARC (RFC 7489), SPF (RFC 7208), DKIM (RFC 6376), MTA-STS (RFC 8461), BIMI, and DANE/TLSA (RFC 7672). Common DKIM selectors probed: selector1, selector2, google, default, k1, s1.
DMARCguard. (2026). State of Email Authentication 2026: Adoption Statistics for DMARC, SPF, DKIM, and Advanced Protocols. https://dmarcguard.io/research/email-authentication-2026/ As defined in RFC 7489, DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to verify sender identity and provide policy enforcement. Our scan found 62.5% DMARC adoption (6,255 domains), but a critical enforcement gap persists.
The enforcement rate — the percentage of domains using p=quarantine or p=reject policies — stands at 46.0%. This means nearly half of domains with DMARC actively protect against spoofing, while the remaining 16.5% remain at p=none (monitoring-only mode).
Comparing to industry data from Valimail's 2024 report, which showed 54% DMARC adoption in Fortune 1000 companies, our broader Tranco 10K sample (62.5%) suggests adoption is accelerating across all domain categories following Google and Yahoo's February 2024 bulk sender requirements.
Aggregate reporting (RUA) adoption stands at 54.3%, meaning 5,431 domains publish a `rua=` tag to receive daily authentication reports from major receivers. The remaining 824 DMARC-enabled domains lack visibility into their authentication failures.
Despite two years of enforcement pressure from major email providers, 37.5% of top domains still lack DMARC entirely. Of those with DMARC, 1 in 6 (16.5%) remain at monitoring-only policy (p=none), suggesting hesitation to move to enforcement due to legitimate sender configuration challenges.
For step-by-step guidance on moving from p=none to p=reject, see our DMARC policy migration guide.
SPF (Sender Policy Framework, RFC 7208) shows the highest adoption rate at 67.6% (6,756 domains), exceeding both DMARC (62.5%) and DKIM (38.9%). SPF's relative simplicity — a single TXT record at the root domain — explains its widespread deployment.
However, 3.2% of SPF-enabled domains (322 domains) exceed RFC 7208's hard limit of 10 DNS lookups, triggering PermError failures. When SPF returns PermError, email authentication fails entirely, potentially causing DMARC failures if DKIM alignment is not present.
Organizations using Google Workspace (2 lookups) + Mailchimp (3 lookups) + HubSpot (3 lookups) + Zendesk (2 lookups) + Salesforce (3 lookups) total 13 DNS lookups — exceeding the limit by 30%.
| Email Service Provider | SPF Mechanism | DNS Lookups |
|---|---|---|
| Google Workspace | include:_spf.google.com | 2 |
| Mailchimp | include:servers.mcsv.net | 3 |
| HubSpot | include:_spf.hubspotemail.net | 3 |
| SendGrid | include:sendgrid.net | 2 |
| Amazon SES | include:amazonses.com | 1 |
| Zendesk | include:mail.zendesk.com | 2 |
| Salesforce | include:exacttarget.com | 3 |
Additionally, 5.1% of domains have SPF but no DMARC (679 domains). SPF alone provides limited anti-spoofing protection because it only validates the envelope sender (Return-Path), not the From header visible to end users.
For solutions to SPF lookup limit violations, including subdomain splitting and IP address consolidation, read our guide on SPF 10-lookup limit fixes.
DKIM (DomainKeys Identified Mail, RFC 6376) shows the lowest adoption rate at 38.9% (3,886 domains) among the three core authentication protocols. DKIM adoption lags SPF (67.6%) by 28.7 percentage points and DMARC (62.5%) by 23.6 percentage points.
Why DKIM lags: DKIM requires cryptographic key pair generation, DNS publishing of the public key at `selector._domainkey.domain`, and mail server configuration to sign outbound messages with the private key. This multi-step process is significantly more complex than SPF's single TXT record.
DKIM adoption is likely underreported in this study. Our
scanner checked common DKIM selectors (selector1, selector2, google, default, k1, s1) via DNS lookups, but cannot discover custom or rotated selectors
without sending an email. Actual DKIM adoption may be 5-10 percentage
points higher.
Common selectors detected include google._domainkey (Google Workspace),
selector1._domainkey (Microsoft 365), and k1._domainkey (Mailchimp). No domains in our sample deployed DKIM-only configurations
(DKIM without SPF or DMARC) — DKIM is always paired with at least SPF.
Many domains rely solely on SPF alignment for DMARC pass, which is acceptable per RFC 7489 but provides less redundancy. If SPF fails due to email forwarding or IP changes, DKIM serves as the fallback authentication mechanism.
MTA-STS (Mail Transfer Agent Strict Transport Security, RFC 8461) shows only 1.8% adoption (179 domains) — 34x lower than DMARC (62.5%). MTA-STS enforces TLS encryption on SMTP connections, preventing downgrade attacks where adversaries strip STARTTLS to intercept email in transit.
Mode distribution:
mode=none Why MTA-STS adoption is low: MTA-STS requires three components:
https://mta-sts.yourdomain.com/.well-known/mta-sts.txt _mta-sts.yourdomain.com with policy ID
mta-sts.yourdomain.comThis infrastructure requirement is significantly more complex than DMARC, SPF, or DKIM (which only require DNS TXT records). Additionally, MTA-STS is backend-only security with no user-visible benefits, unlike BIMI (inbox logos), reducing organizational priority.
Major email providers led adoption: Google deployed MTA-STS in 2019, Yahoo in 2020. The Electronic Frontier Foundation's STARTTLS Everywhere initiative promotes MTA-STS adoption, but uptake remains minimal among smaller organizations.
DMARCguard is one of the few email authentication platforms that monitors MTA-STS compliance. Most DMARC-only tools ignore transport security entirely.
For implementation guidance, see our MTA-STS setup guide.
BIMI (Brand Indicators for Message Identification) shows 7.5% adoption (748 domains) — 4x higher than MTA-STS (1.8%) despite being less critical for security. BIMI displays the sender's logo in recipient inboxes (Gmail, Yahoo, Apple Mail support), providing visible brand differentiation.
Of the 748 domains with BIMI records, 6.8% have valid SVG logos (677 domains) successfully validated via HTTP fetch. The remaining 0.7% (71 domains) have broken BIMI records — either 404 errors on the SVG URL or invalid image formats.
BIMI prerequisites per the BIMI Group specification:
All 748 BIMI-enabled domains in our sample have DMARC at p=quarantine or p=reject — receivers enforce this prerequisite strictly.
Why BIMI adoption exceeds MTA-STS: BIMI provides user-visible brand differentiation in crowded inboxes, driving marketing and brand team investment. Fortune 500 companies (Apple, Microsoft, PayPal) widely deploy BIMI. Financial services (banks, fintech) adopt BIMI as an anti-phishing trust signal.
In contrast, MTA-STS is backend-only transport security with no inbox visibility, making it harder to justify to non-technical stakeholders despite superior security benefits.
For implementation guidance, see our BIMI setup guide.
DANE (DNS-based Authentication of Named Entities, RFC 7672) shows zero adoption — not a single domain in our 10,000-domain sample publishes TLSA records for email (SMTP).
What is DANE: DANE uses DNSSEC-signed TLSA records to cryptographically verify TLS certificates, eliminating reliance on Certificate Authorities. DANE represents the "ideal" email security standard — no CA trust required, direct cryptographic verification of MX host certificates.
Why zero adoption:
_25._tcp.mx.domain, certificate hash rotation on renewal, DNSSEC key management.
DNSSEC adoption data from APNIC (2025) shows 13% global DNSSEC deployment, but our Tranco 10K sample (high-traffic domains) shows only 8.9% — suggesting DNSSEC adoption is even lower among smaller organizations.
For comparison, DANE for HTTPS (RFC 6698) also shows minimal adoption (~0.1% of Alexa 1M per research), but email DANE (RFC 7672) has even lower adoption due to the DNSSEC requirement plus lack of major receiver support.
MTA-STS (RFC 8461) solves the same transport security problem as DANE but without requiring DNSSEC. Despite low adoption (1.8%), MTA-STS is 100% more deployed than DANE (0.0%) and supported by all major email providers.
DANE represents a theoretical security improvement but a practical failure for email. The complexity barrier (DNSSEC + TLSA record management + minimal receiver support) prevents real-world deployment.
DMARCguard is the only DMARC platform that scans for DANE/TLSA records. Our data shows why: zero adoption. We monitor DANE to track potential future adoption as EU NIS2 regulations evolve.
Analyzing protocol combinations reveals how domains layer authentication mechanisms for defense in depth.
Of the 6,255 domains with DMARC, the breakdown by authentication mechanisms:
Most DMARC-enabled domains (61.1%) rely on SPF-only authentication, accepting the risk that email forwarding or IP changes will break authentication. DKIM provides redundancy but requires more complex configuration.
All 748 domains with BIMI records have DMARC at p=quarantine or p=reject. Receivers (Gmail, Yahoo) enforce this prerequisite strictly — BIMI will not display for domains at p=none.
Only 1.2% of domains (120 domains) deploy the complete email authentication stack: DMARC + SPF + DKIM + MTA-STS + BIMI (excluding DANE due to zero adoption).
32.4% of domains (3,244 domains) have NO email authentication whatsoever — no DMARC, SPF, DKIM, MTA-STS, or BIMI. These domains are fully vulnerable to spoofing, phishing, and BEC attacks.
| Configuration | Count | Percentage | Security Posture |
|---|---|---|---|
| Full stack (DMARC+SPF+DKIM+MTA-STS+BIMI) | 120 | 1.2% | Strongest |
| DMARC+SPF+DKIM | 2,313 | 23.1% | Strong |
| DMARC+SPF only | 3,822 | 38.2% | Moderate |
| SPF only (no DMARC) | 679 | 6.8% | Weak |
| No authentication | 3,244 | 32.4% | Vulnerable |
The data reveals a baseline adoption pattern: most organizations adopt DMARC + SPF as a minimum viable authentication setup (38.2%), while advanced protocols (MTA-STS, BIMI) remain niche. Full-stack deployment (1.2%) is rare even among high-traffic domains.
Note: Full sector analysis requires additional data sources (CISA .gov list, .edu zone files, Fortune 500 lists). This section previews findings based on manual identification within the Tranco 10K dataset.
Approximately 150 .gov domains were identified in the Tranco 10K sample:
Government domains show significantly higher adoption and enforcement rates compared to the overall sample, driven by regulatory mandates and centralized IT governance.
Approximately 80 .edu domains were identified in the Tranco 10K sample:
Education domains lag overall adoption, likely due to decentralized IT infrastructure and the alumni forwarding challenge.
Approximately 300 likely Fortune 500 domains were identified via Tranco ranks 1-500:
| Sector | DMARC Adoption | p=reject Enforcement | BIMI Adoption |
|---|---|---|---|
| Government (.gov) | ~85% | ~60% | ~3% |
| Education (.edu) | ~55% | ~20% | ~2% |
| Fortune 500 | ~70% | ~35% | ~15% |
| Overall (Tranco 10K) | 62.5% | 29.4% | 7.5% |
Estimated from manual identification within the Tranco 10K sample. Dedicated sector studies with authoritative source lists are planned for Q2 2026.
Coming in Q2 2026: Full sector deep-dives on government email security (CISA .gov list), education (.edu zones), and Fortune 500 adoption.
62.5% of the top 10,000 domains have a DMARC record as of February 2026 — 6,255 domains total. Of these, 46% enforce with quarantine or reject policies. See our full DMARC adoption analysis.
46.0% enforce policies that block spoofed emails (29.4% p=reject, 16.6% p=quarantine). The remaining 16.5% stay at monitoring-only. See DMARC enforcement details.
3.2% of SPF-enabled domains (322 of 10,000) exceed the RFC 7208 10-DNS-lookup limit, causing PermError failures. See our SPF analysis for common causes.
The DMARC enforcement rate is 46% — the share of DMARC-enabled domains using p=quarantine or p=reject. The remaining 54% lack DMARC or remain at p=none. See full breakdown.
MTA-STS adoption is only 1.8% because it requires HTTPS hosting, a DNS TXT record, and a valid TLS certificate — significantly more complex than DNS-only protocols. See our MTA-STS analysis.
BIMI adoption is 7.5% (748 domains), with 6.8% having valid SVG logos. BIMI requires DMARC enforcement as a prerequisite. See our BIMI analysis.
Zero domains in our 10,000-domain sample deploy DANE/TLSA records for email, due to the DNSSEC prerequisite and minimal receiver support. See our DANE analysis.
Email authentication adoption is accelerating, driven by Google and Yahoo's 2024 bulk sender mandates, but significant gaps remain in enforcement and advanced protocol deployment.
Key takeaways:
This is the baseline study for 2026. Quarterly re-scans will track adoption trends, protocol migration (p=none → p=reject), and sector-specific changes. Watch for Q2 2026 updates.
Plain text citation:
DMARCguard. (2026). State of Email Authentication 2026: Adoption Statistics for DMARC, SPF, DKIM, and Advanced Protocols. Retrieved from https://dmarcguard.io/research/email-authentication-2026/BibTeX format:
@misc{dmarcguard2026,
title={State of Email Authentication 2026: Adoption Statistics for DMARC, SPF, DKIM, and Advanced Protocols},
author={DMARCguard Research Team},
year={2026},
month={February},
howpublished={\url{https://dmarcguard.io/research/email-authentication-2026/}},
note={Data collected February 25, 2026. Sample: 10,000 domains from Tranco Top Sites List.}
}Learn more:
Full methodology details, data sources, and limitations are documented in the Methodology section above. Scanner source code available in the parse-dmarc open-source project.
The complete scanner results are available for download in CSV and JSON formats. No signup required — freely available for research and citation.
Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.
Start Free