ShowMyIP Original Research
The State of Email Authentication 2026
How many domains actually protect themselves from spoofing? We measured the public SPF, DKIM and DMARC records of a list of well-known public domains and counted what is really deployed in the wild — not what the standards recommend.
of 288 well-known public domains publish a DMARC record — but only 67.7% enforce it at p=reject.
In other words, most domains that bother with DMARC still leave the door open: they monitor, but never actually block spoofed mail.
Adoption at a glance
Share of the 288 scanned domains that publish each record, measured on 2026-05-30.
What DMARC policy do domains actually set?
Of all 288 domains scanned, here is how their DMARC policy breaks down. p=none only monitors; p=quarantine sends failing mail to spam; p=reject blocks it outright.
Of the domains that publish DMARC at all, just 68.2% have advanced all the way to p=reject. The rest are stuck in monitoring or quarantine.
How strict is the SPF that domains publish?
Having an SPF record is not enough — the terminating all qualifier decides what happens to unauthorised senders. Share of all 288 domains:
What this means and why it matters
Email authentication is a three-legged stool. SPF says which servers may send for a domain, DKIM cryptographically signs the message, and DMARC ties the two together and tells receivers what to do when a message fails both. A domain is only meaningfully protected against spoofing when DMARC is published and set to enforce.
The data shows the familiar shape of a half-finished migration. SPF is nearly universal (99.7% of domains) because it is old and easy. DMARC adoption is healthy at 99.3% — but the leap from publishing DMARC to enforcing it is where most domains stall. Only 67.7% reach p=reject, which means a large share of domains are collecting reports while still letting forged mail through.
That gap is the single most actionable finding. Moving from p=none to p=quarantine and finally p=reject is the step that actually stops criminals from sending mail as you. If you publish DMARC, the most valuable thing you can do this quarter is review your aggregate reports and tighten the policy.
Methodology
Sample: 288 public domains, scanned on 2026-05-30 (UTC).
Domain list source: ShowMyIP curated list of well-known public domains across varied TLDs and sectors (bundled at custom/data/research/domains.txt).
How each domain was measured: Each domain in the list was measured with ShowMyIP's EmailHealthChecker, which reads only PUBLIC DNS records (MX, SPF TXT, DMARC TXT at _dmarc, and DKIM public keys under common selectors) via the system resolver. Only aggregate counts are retained; no per-domain result is stored or published. This is infrastructure measurement of public records — no user data is collected and no individuals are profiled.
Privacy: Only public domains were measured (public DNS infrastructure). No personal data was collected, stored, or published. Outside GDPR scope by construction.
- A domain is counted as having SPF when a v=spf1 TXT record is published. The "all" qualifier is read from that record: -all (hard fail), ~all (soft fail), ?all (neutral), +all (pass-all, dangerous), or none (no terminating all term).
- A domain is counted as having DMARC when a v=DMARC1 record exists at _dmarc.<domain>. The enforcement policy is read from its p= tag (reject/quarantine/none).
- DKIM selectors cannot be enumerated from DNS, so DKIM is counted as "detectable" only when a live public key is found under one of the common selectors used by the largest mail platforms. Real DKIM adoption is therefore at least this high; this is a conservative lower bound.
- Counts domains publishing SPF AND DMARC AND a detectable DKIM key.
Limitations. This is a sample of well-known, high-traffic public domains, not a random sample of the whole internet; large and well-resourced organisations are over-represented, so real-world authentication across all domains is likely lower than these figures, not higher. DKIM is reported as a conservative lower bound because selectors cannot be enumerated from DNS. The figures describe what was published in DNS at scan time and do not test whether mail actually flows or aligns.
Where does your domain sit in these numbers?
Run the free Domain Email Health Check to see your own SPF, DKIM and DMARC status, graded A+ to F, with the exact records to publish to close any gap.
Last reviewed May 2026 · Dataset: email-auth-2026-05.json
How this tool works: This tool runs in your browser and on our server in real time. Depending on the tool, results are computed directly from the input you provide or retrieved from live, authoritative data sources at the moment you run a lookup. We do not sell your data, and your lookups are kept private — any history shown here is stored only on your device.