SPF Supply Chain 2026: Email Sender Market Share Across 5.5 Million Domains

Who Powers the World's Email? Provider Market Share by SPF Include

The concentration extends beyond the top two. The top five providers — Microsoft 365, Google Workspace, GoDaddy, websitewelcome.com, and Amazon SES — account for 44.8% of all SPF includes. Five organizations control nearly half the email authentication chain. The remaining 55.2% is distributed across hundreds of providers, from regional hosting companies to specialized transactional services.

Top 20 email providers by SPF include

The provider landscape splits into distinct categories. Email-hosting providers (Microsoft 365, Google Workspace, Zoho Mail, Yandex Mail) dominate in raw volume because they handle primary mailbox hosting — every domain with a Google Workspace SPF record likely routes all inbound and outbound email through Google. Transactional providers (Amazon SES, SendGrid, Mailgun, Mailchimp Transactional, Mailjet) appear as additional includes alongside a primary provider, handling automated emails like password resets, invoices, and notifications.

SPF includes by provider category

Percentages exceed 100% because domains include multiple providers across categories. A domain using both a Google Workspace SPF record for primary email and a SendGrid SPF record for transactional email counts in both “email-hosting” and “transactional.” The “other” category at 66.9% reflects the long tail: self-hosted mail servers, regional ISPs, hosting providers, and niche services not matched by our ~80-entry provider suffix registry.

The supply chain implications are direct. Two companies — Microsoft and Google — control 33% of the email authentication chain. A single SPF misconfiguration at either provider propagates to hundreds of thousands of domains. When Microsoft updates the IP ranges behind spf.protection.outlook.com, 603,854 domains inherit that change automatically. This is not a theoretical risk; it is the operational reality of a trust-delegation protocol.

The transactional tier tells a different story. Amazon SES (2.5%), SendGrid (2.3%), and Mailgun (2.2%) each appear in tens of thousands of SPF records because they serve as secondary senders alongside a primary mailbox provider. A SendGrid SPF record entry adds SendGrid's entire IP pool to the domain's authorized sender list — a trust decision that most operators make once and never revisit.

The pattern for Mailchimp SPF record usage shows an interesting split: Mailchimp appears twice in the top 20 — once as a marketing platform (58,736 domains, 1.9%) and once as Mailchimp Transactional (49,568 domains, 1.6%), reflecting the product's evolution from pure marketing into transactional email. HubSpot (1.6%), Zendesk (1.4%), and Salesforce (1.0%) round out the CRM and marketing layer.

The security category (2.6%) includes email filtering and gateway services like Barracuda, Mimecast, and Proofpoint. These providers appear as SPF includes because they route outbound email through their infrastructure for filtering before delivery.

Check your domain's SPF record to see which providers are in your supply chain.

SPF Adoption by Domain Rank: Google at the Top, Microsoft Everywhere Else

SPF adoption rate correlates with domain rank. The highest-traffic domains adopt SPF at higher rates and authorize more sending services.

Rank tier breakdown

The provider split across tiers tells a clear story. Google Workspace dominates the top-100K — the largest, highest-traffic, and typically most sophisticated domains. These are organizations with dedicated IT teams that chose Google's enterprise offering.

Microsoft 365 dominates from the top-1M onward, reflecting its broad penetration into small and medium businesses. The crossover happens between the top-100K and top-1M tiers.

SPF complexity decreases as rank drops. Top-1K domains average 2.3 includes per record, meaning the most popular domains authorize multiple sending services — a primary email provider plus transactional, marketing, and CRM platforms. Beyond 1M, the average drops to 1.2 includes.

This complexity gradient has practical implications. Higher-ranked domains with more includes are more likely to approach the 10-lookup limit defined in RFC 7208. They also maintain a larger supply chain — more providers to track, more trust relationships to audit, more potential points of failure.

The SPF adoption rate itself tells a story about organizational maturity. At 77.1% among the top-1K, nearly a quarter of the most-visited domains on the internet still do not publish an SPF record. Below the top-1M, adoption drops to 54.4%. More than 2 million domains in the long tail send email without any SPF protection.

148,655 Domains Exceed the SPF 10-Lookup Limit

148,655 domains — 4.8% of all SPF-enabled domains — exceed the SPF 10 lookup limit defined in RFC 7208 Section 4.6.4. These domains risk SPF PermError on every email they send.

The 10-lookup limit exists because SPF evaluation happens during the SMTP transaction. The receiving server must resolve the sender's SPF record in real time, and each include:, a:, mx:, and redirect: directive triggers a DNS lookup. RFC 7208 caps this at 10 to prevent SPF evaluation from becoming a denial-of-service vector against DNS infrastructure. ip4: and ip6: mechanisms do not count because they contain literal addresses — no DNS resolution required.

When a domain exceeds 10 lookups, SPF evaluation returns PermError. If the domain relies on SPF alignment for DMARC, the DMARC check fails as well — a silent cascading failure that most domain operators never detect until deliverability drops.

SPF complexity distribution

The majority of domains (67.5%) use 1-2 includes — typically a single email-hosting provider and possibly one transactional service. The risk concentrates in the 10.3% with 3-5 includes and especially the 1.3% with 6-9 includes. Domains with SPF include multiple providers approach the limit faster than operators expect, because the lookup count is recursive.

The average includes among over-limit domains is 2.7 — seemingly low, but this reinforces the recursive amplification problem. A domain with just 3 include: directives can exceed 10 lookups if those includes nest deeply. The count in the SPF record is not the count that matters; the total recursive resolution depth is.

SPF flattening resolves this by replacing include: directives with the resolved IP addresses, eliminating recursive lookups. But flattening introduces its own maintenance burden: IP ranges change, and stale records silently break authentication.

If your domain exceeds the SPF 10 lookup limit, you have two options. Flatten your SPF record to stay under the limit, or audit your sending services and remove providers you no longer use. See how to fix DMARC failures when the root cause is an SPF lookup limit violation.

SPF Policy Strictness: 53.6% Softfail, Only 40.2% Hardfail

Over half of SPF-enabled domains — 53.6% — use softfail (~all), a policy that marks unauthorized senders but still accepts their email. Only 40.2% enforce hardfail (-all), which instructs receiving servers to reject unauthorized senders outright.

All-qualifier distribution

RFC 7208 Section 8.4 designed softfail as a transitional mechanism. The intent was for domain operators to deploy ~all while identifying all legitimate sending sources, then switch to -all once the inventory was complete. The data shows that 53.6% of domains never completed that transition.

The practical difference matters. With ~all, a spoofed email from your domain reaches the recipient's inbox (possibly flagged, depending on the receiver's local policy). With -all, it gets rejected. In a world where 53.6% of domains use softfail, attackers know the odds are in their favor.

The 3,575 domains with +all deserve special mention. This qualifier tells receiving servers “accept email from anyone claiming to be us.” It is functionally equivalent to having no SPF record.

The SPF softfail vs hardfail gap has practical implications for DMARC enforcement as well. A domain with p=reject in its DMARC policy but ~all in its SPF record creates a contradictory signal: DMARC says reject unauthorized mail, but SPF says merely mark it. DMARC alignment resolves this (DKIM can compensate), but the inconsistency indicates incomplete policy configuration.

If your domain uses ~all, review your sending sources and move to -all once you have confirmed all legitimate senders are included. Generate a properly configured SPF record with hardfail enabled.

SPF Mechanism Usage: include Dominates at 32.3%

The include mechanism accounts for 32.3% of all mechanism occurrences across SPF records — the single most-used mechanism. This confirms that SPF is fundamentally a delegation protocol. Most domains do not send email from their own infrastructure. They delegate to third-party providers via include: directives.

Mechanism usage across 3,077,219 SPF-enabled domains

The “% of Domains” column exceeds 100% for include because domains use multiple include: directives per record. The average SPF record contains 1.25 include: mechanisms (3,838,536 total includes across 3,077,219 SPF-enabled domains).

ip6 adoption remains notably low at 2.8% of domains, despite continued growth in IPv6 deployment globally. Most email infrastructure still operates on IPv4.

The redirect modifier (2.0%) serves a different purpose than include:. Where include: adds a provider's IP ranges to the existing record, redirect replaces the entire SPF evaluation with another domain's record. It is commonly used by organizations that centralize SPF policy across multiple domains.

The 50 Most-Referenced SPF Include Domains on the Internet

The most common SPF include on the internet is spf.protection.outlook.com, appearing in 598,643 SPF records (19.5% of all SPF-enabled domains). _spf.google.com follows at 415,155 records (13.5%). Combined, nearly 1 in 3 SPF records references one of these two domains.

Notable patterns in the long tail: secureserver.net (GoDaddy) ranks third at 6.3%, reflecting GoDaddy's massive hosting customer base. amazonses.com (2.4%) and sendgrid.net (2.2%) represent the transactional email layer. servers.mcsv.net (Mailchimp, 1.9%) and spf.mandrillapp.com (Mailchimp Transactional, 1.6%) again show the Mailchimp product split.

Regional and niche providers reveal the geographic spread of the SPF supply chain. _spf.yandex.net (0.9%) serves primarily Russian-language domains. spf.mail.qq.com (0.3%) reflects Tencent's email presence in the Chinese market. spf.sender.xserver.jp (0.3%) is a Japanese hosting provider. The supply chain extends into regional infrastructure that most Western-focused analyses overlook.

Every one of these include domains represents a trust relationship — a third-party provider that can send email as the including domain. Each one is a node in the global SPF supply chain.

Frequently Asked Questions

Key Takeaways and What to Do Next

Five findings define the SPF supply chain in 2026:

1. Two providers dominate. Microsoft 365 (19.6%) and Google Workspace (13.6%) appear in one-third of all SPF records. SPF is a supply chain, and these are its largest nodes.
2. 148,655 domains risk PermError. 4.8% of SPF-enabled domains exceed the 10-lookup limit, causing silent SPF failures — and silent DMARC failures downstream.
3. 53.6% never completed the transition. Softfail (~all) was designed as a temporary state. More than half of domains still use it. Only 40.2% enforce hardfail (-all).
4. Deprecated mechanisms persist. The ptr mechanism, deprecated by RFC 7208 Section 5.5, still appears in 41,728 domains (1.4%).
5. Complexity scales with visibility. Top-1K domains average 2.3 includes per record. Beyond 1M, the average drops to 1.2.

Understanding your SPF supply chain — which providers you depend on, how many lookups they cost, and whether your policy enforces protection — is the first step toward reliable email authentication.

What to do next

• Audit your includes. Run the SPF checker to see every provider in your supply chain and your total lookup count.
• Stay under 10 lookups. If you exceed the limit, use the SPF flattener to collapse nested includes into flat IP ranges, or remove includes for services you no longer use.
• Move to hardfail. If your domain uses ~all, identify all legitimate senders and switch to -all. Use the SPF generator to build a properly configured record.
• Remove deprecated mechanisms. Replace any ptr mechanism with explicit ip4: or ip6: entries.
• Monitor continuously. SPF records change as providers update IP ranges and as teams add or remove sending services. Start monitoring your DMARC reports — free plan, no credit card.

This study establishes a baseline for longitudinal tracking of the SPF supply chain. Quarterly rescans will track provider market share shifts, lookup-limit violation trends, and the softfail-to-hardfail transition rate over time.

DMARCguard. (2026). SPF Supply Chain 2026: Email Sender Market Share Across 5.5 Million Domains. Retrieved from https://dmarcguard.io/research/spf-supply-chain-2026/

@misc{dmarcguard_spf2026,
  title={SPF Supply Chain 2026: Email Sender Market Share Across 5.5 Million Domains},
  author={DMARCguard Research Team},
  year={2026},
  month={March},
  howpublished={\url{https://dmarcguard.io/research/spf-supply-chain-2026/}},
  note={Data collected March 15, 2026. Sample: 5,499,028 domains from Tranco Top Sites List (full list). SPF-enabled: 3,077,219 (56.0\%).}
}