Email Authentication 2026: DMARC Adoption Rate & SPF Statistics

Top 10K vs. Full Internet: The Adoption Gap

The top 10,000 highest-traffic domains show dramatically higher adoption than the broader internet. This gap reveals a two-tier email security landscape: well-resourced organizations at the top adopt authentication protocols at 2-3x the rate of the general domain population.

Top 10K data from our initial scan of Tranco's highest-ranked domains. Full dataset covers 5,499,028 domains from the complete Tranco list. Both scans performed February 2026.

DMARC Adoption Rate and Enforcement

As defined in RFC 7489, DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to verify sender identity and provide policy enforcement. Our scan found 30.4% DMARC adoption (1,670,975 domains), but a critical enforcement gap persists.

The enforcement rate — the share of all scanned domains using p=quarantine or p=reject — stands at 12.8% (702,000 of 5,499,028 domains). Among DMARC-enabled domains specifically, 42.0% enforce policies, while 57.9% (967,474 domains) remain at p=none (monitoring-only mode).

Industry analysis from EasyDMARC (2025) shows Fortune 500 DMARC adoption at 93.8%, with 62.7% at enforcement (p=quarantine or p=reject), driven by Google and Yahoo's February 2024 bulk sender requirements. Our full Tranco 5.5M sample (30.4%) captures the entire domain landscape beyond enterprises, providing the most representative cross-industry baseline.

Aggregate reporting (RUA) is configured on 53.5% of DMARC-enabled domains — 894,057 of 1,670,975 publish a rua= tag to receive daily authentication reports from major receivers. The remaining 776,918 DMARC-enabled domains lack visibility into their authentication failures.

Despite two years of enforcement pressure from major email providers, 69.6% of domains still lack DMARC entirely. Of those with DMARC, over half (57.9%) remain at monitoring-only policy (p=none), suggesting hesitation to move to enforcement due to legitimate sender configuration challenges.

Among the top 10,000 highest-traffic domains, DMARC adoption reaches 62.5% — more than double the full-internet rate of 30.4%, demonstrating the gap between well-resourced organizations and the broader web.

For step-by-step guidance on moving from p=none to p=reject, see our DMARC policy migration guide.

SPF Adoption Rate and the 10-Lookup Limit Challenge

SPF (Sender Policy Framework, RFC 7208) shows the highest adoption rate at 56.0% (3,077,219 domains), exceeding both DMARC (30.4%) and DKIM (22.7%). SPF's relative simplicity — a single TXT record at the root domain — explains its widespread deployment. For a deep dive into which providers domains depend on via SPF includes, see our SPF Supply Chain study.

However, 4.8% of SPF-enabled domains (148,655 of 3,077,219) exceed RFC 7208's hard limit of 10 DNS lookups, triggering PermError failures. When SPF returns PermError, email authentication fails entirely, potentially causing DMARC failures if DKIM alignment is not present.

Additionally, 28.8% of domains have SPF or DKIM but no DMARC (1,584,176 domains). SPF alone provides limited anti-spoofing protection because it only validates the envelope sender (Return-Path), not the From header visible to end users.

For solutions to SPF lookup limit violations, including subdomain splitting and IP address consolidation, read our guide on SPF 10-lookup limit fixes.

DKIM Adoption Rate

DKIM (DomainKeys Identified Mail, RFC 6376) shows the lowest adoption rate at 22.7% (1,249,750 domains) among the three core authentication protocols. DKIM adoption lags SPF (56.0%) by 33.3 percentage points and DMARC (30.4%) by 7.7 percentage points.

Why DKIM lags: DKIM requires cryptographic key pair generation, DNS publishing of the public key at `selector._domainkey.domain`, and mail server configuration to sign outbound messages with the private key. This multi-step process is significantly more complex than SPF's single TXT record.

Common selectors detected include google._domainkey (Google Workspace), selector1._domainkey (Microsoft 365), and k1._domainkey (Mailchimp). No domains in our sample deployed DKIM-only configurations (DKIM without SPF or DMARC) — DKIM is always paired with at least SPF.

Many domains rely solely on SPF alignment for DMARC pass, which is acceptable per RFC 7489 but provides less redundancy. If SPF fails due to email forwarding or IP changes, DKIM serves as the fallback authentication mechanism.

MTA-STS Adoption: Transport Layer Security for SMTP

MTA-STS (Mail Transfer Agent Strict Transport Security, RFC 8461) shows only 0.3% adoption (15,997 domains) — 101x lower than DMARC (30.4%). MTA-STS enforces TLS encryption on SMTP connections, preventing downgrade attacks where adversaries strip STARTTLS to intercept email in transit.

Mode distribution:

• enforce: 0.17% (9,364 domains) — active protection against downgrade attacks
• testing: 0.12% (6,383 domains) — monitoring mode, logs policy violations without blocking

Why MTA-STS adoption is low: MTA-STS requires three components:

1. HTTPS hosting for the policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
2. DNS TXT record at _mta-sts.yourdomain.com with policy ID
3. Valid TLS certificate for mta-sts.yourdomain.com

This infrastructure requirement is significantly more complex than DMARC, SPF, or DKIM (which only require DNS TXT records). Additionally, MTA-STS is backend-only security with no user-visible benefits, unlike BIMI (inbox logos), reducing organizational priority.

Major email providers led adoption: Google deployed MTA-STS in April 2019, with Yahoo following subsequently. The Electronic Frontier Foundation's STARTTLS Everywhere initiative (2018–2020) helped push the ecosystem toward transport security before being wound down after STARTTLS encryption reached approximately 90% and MTA-STS matured as a standard.

For implementation guidance, see our MTA-STS setup guide.

BIMI Adoption: Brand Indicators for Message Identification

BIMI (Brand Indicators for Message Identification) shows 0.4% adoption (20,518 domains) — 1.3x higher than MTA-STS (0.3%) despite being less critical for security. BIMI displays the sender's logo in recipient inboxes (Gmail, Yahoo, Apple Mail support), providing visible brand differentiation.

Of the 20,518 domains with BIMI records, 71.8% have valid SVG logos (14,739 domains) successfully validated via HTTP fetch. The remaining 5,779 domains (28.2% of BIMI-enabled) have broken BIMI records — either 404 errors on the SVG URL or invalid image formats.

BIMI prerequisites per the BIMI Group specification:

• DMARC enforcement: p=quarantine or p=reject (p=none insufficient)
• SVG logo: Tiny Portable/Secure (Tiny PS) profile, hosted at publicly accessible HTTPS URL
• VMC (Verified Mark Certificate): Required by Gmail for logo display; optional for Yahoo/Apple Mail

BIMI requires DMARC at p=quarantine or p=reject as a prerequisite. Domains that have published BIMI records without meeting the enforcement prerequisite will not have their logos displayed by compliant receivers.

Why BIMI adoption exceeds MTA-STS: BIMI provides user-visible brand differentiation in crowded inboxes, driving marketing and brand team investment. Fortune 500 companies (Apple, Microsoft, PayPal) widely deploy BIMI. Financial services (banks, fintech) adopt BIMI as an anti-phishing trust signal.

In contrast, MTA-STS is backend-only transport security with no inbox visibility, making it harder to justify to non-technical stakeholders despite superior security benefits.

For implementation guidance, see our BIMI setup guide.

DANE/TLSA Adoption: Zero Adoption for Email Security

DANE (DNS-based Authentication of Named Entities, RFC 7672) shows near-zero adoption — only 30 domains in our 5.5 million-domain sample publish TLSA records for email (SMTP). Meanwhile, 46.9% of domains (2,581,479) support STARTTLS encryption on port 25.

What is DANE: DANE uses DNSSEC-signed TLSA records to cryptographically verify TLS certificates, eliminating reliance on Certificate Authorities. DANE represents the "ideal" email security standard — no CA trust required, direct cryptographic verification of MX host certificates.

Why zero adoption:

1. DNSSEC prerequisite: DANE requires DNSSEC, which remains a significant deployment barrier. According to APNIC Labs, approximately 35% of DNS resolvers validate DNSSEC globally (largely driven by Google and Cloudflare public resolvers), but zone signing remains around 7%. Our scan found only 30 TLSA records for email across 5.5 million domains.
2. Complex setup: Requires TLSA record per MX host at _25._tcp.mx.domain, certificate hash rotation on renewal, DNSSEC key management.
3. Limited receiver support: Postfix, Exim, and Microsoft 365 (outbound since Q1 2022, inbound GA October 2024) verify DANE TLSA records for SMTP. Gmail and Yahoo do not support DANE for email.

The DNSSEC deployment gap explains DANE's absence: while resolver-side validation has reached approximately 35% globally (APNIC Labs, 2026), the authoritative-side zone signing required for DANE remains in single digits. Without DNSSEC-signed zones, DANE TLSA records cannot be validated — creating a chicken-and-egg problem for email deployment.

For comparison, DANE for HTTPS (RFC 6698) also shows negligible adoption — major browsers (Chrome, Firefox) never implemented DANE verification, making it effectively unused for web traffic. Email DANE (RFC 7672) faces the same DNSSEC barrier plus limited receiver support.

DANE represents a theoretical security improvement but a practical failure for email. The complexity barrier (DNSSEC + TLSA record management + minimal receiver support) prevents real-world deployment.

Email Authentication Trends: Cross-Protocol Analysis

Analyzing protocol combinations reveals how domains layer authentication mechanisms for defense in depth.

DMARC Requires SPF or DKIM

Per RFC 7489, DMARC passes when at least one of SPF or DKIM produces an aligned identifier. Of the 1,670,975 domains with DMARC:

• Both SPF and DKIM: 48.5% (810,525 domains) — strongest setup with redundant authentication
• SPF only (no DKIM detected): 43.0% (718,876 domains) — relies solely on SPF alignment for DMARC pass
• DKIM only (no SPF): 1.5% (25,109 domains) — valid per RFC 7489 but uncommon
• Neither detected: 6.9% (114,525 domains) — DMARC record exists but no SPF or common DKIM selectors found

Over 43% of DMARC-enabled domains rely on SPF-only authentication, accepting the risk that email forwarding or IP changes will break authentication. DKIM provides redundancy but requires more complex configuration.

BIMI Enforcement Prerequisite

BIMI requires DMARC at p=quarantine or p=reject as a prerequisite. Receivers (Gmail, Yahoo) enforce this requirement strictly — BIMI logos will not display for domains that lack DMARC enforcement.

Full Stack Adoption

Only 0.04% of domains (1,940 domains) deploy the complete email authentication stack: DMARC + SPF + DKIM + MTA-STS + BIMI (excluding DANE due to near-zero adoption).

40.8% of domains (2,243,877 domains) have NO email authentication whatsoever — no DMARC, SPF, DKIM, MTA-STS, or BIMI. These domains are fully vulnerable to spoofing, phishing, and BEC attacks.

The data reveals a stark reality: the largest single group (40.8%) has no email authentication at all. Among authenticated domains, SPF or DKIM without DMARC (28.8%) is the most common configuration. DMARC + SPF + DKIM (14.7%) and DMARC + SPF only (13.1%) follow. Advanced protocols (MTA-STS, BIMI) remain niche — full-stack deployment (0.04%) is exceptionally rare.

Domain Distribution by TLD

Our scan covers 1,321 unique TLDs. The following breakdown uses actual per-domain scan results — no estimates or approximations.

Government and Education Domains

Government and education TLDs show markedly different adoption patterns from the general domain population:

• .gov domains (3,746 domains): 76.4% DMARC adoption with 1,225 at p=reject — driven by CISA BOD 18-01 mandate requirements
• .edu domains (4,332 domains): 84.0% DMARC adoption with 761 at p=reject — higher adoption than the general population, though enforcement lags due to alumni email forwarding challenges

Both .gov (76.4%) and .edu (84.0%) significantly outperform the overall DMARC adoption rate of 30.4%, demonstrating the impact of regulatory mandates and institutional IT governance on email security deployment.

Frequently Asked Questions

Conclusion

Email authentication adoption is accelerating, driven by Google and Yahoo's 2024 bulk sender mandates, but significant gaps remain in enforcement and advanced protocol deployment.

Key takeaways:

• DMARC adoption (30.4%) is growing, but 69.6% of domains remain unprotected
• Enforcement is critical — only 12.8% of domains actively block spoofed emails with p=quarantine or p=reject
• SPF is most widely adopted (56.0%), but 4.8% of SPF-enabled domains risk PermError from 10-lookup limit violations
• DKIM lags (22.7%) due to configuration complexity (key pairs, DNS publishing, mail server integration)
• Advanced protocols remain niche — MTA-STS 0.3%, BIMI 0.4%, DANE 0.0%
• Full-stack adoption (DMARC+SPF+DKIM+MTA-STS+BIMI) is only 0.04% of domains

This is the baseline study for 2026. Quarterly re-scans will track adoption trends, protocol migration (p=none → p=reject), and sector-specific changes. Watch for Q2 2026 updates.

DMARCguard. (2026). State of Email Authentication 2026: Adoption Statistics for DMARC, SPF, DKIM, and Advanced Protocols. Retrieved from https://dmarcguard.io/research/email-authentication-2026/

@misc{dmarcguard2026,
  title={State of Email Authentication 2026: Adoption Statistics for DMARC, SPF, DKIM, and Advanced Protocols},
  author={DMARCguard Research Team},
  year={2026},
  month={February},
  howpublished={\url{https://dmarcguard.io/research/email-authentication-2026/}},
  note={Data collected February 27, 2026. Sample: 5,499,028 domains from Tranco Top Sites List (full list).}
}