iPGaze Research · June 2026

Email Authentication Adoption Among the Top 116 Domains

We checked SPF and DMARC records across 116 of the most popular domains on the web. The headline: adoption is high, but enforcement lags. 96.6% publish an SPF record and 95.7% have a DMARC record — yet only 71.6% enforce the strict p=reject policy, and more than 1 in 10 do not enforce DMARC at all.

96.6%

publish SPF

95.7%

have DMARC

71.6%

enforce p=reject

Adoption: SPF vs. DMARC

Has SPF record96.6% (112)

Has DMARC record95.7% (111)

Enforces DMARC (quarantine or reject)89.7% (104)

Nearly every major domain now publishes SPF and DMARC — the result of years of pressure from mailbox providers, capped by Gmail and Yahoo's 2024 requirement that bulk senders authenticate. SPF and DMARC are effectively table stakes for this tier of domain.

The enforcement gap

A DMARC record is only as useful as its policy. p=none merely monitors — it tells you about spoofing but does nothing to stop it. Only p=quarantine and p=reject actually protect recipients. Here is how the 111 domains with a DMARC record split by policy:

p=reject (strongest)71.6% (83)

p=quarantine18.1% (21)

p=none (monitor only)6% (7)

Adding the 5 domains with no DMARC record at all, more than 1 in 10 of these highly-resourced domains still leave a door open to exact-domain spoofing. If the most sophisticated domains on the internet have this gap, the long tail of smaller domains is far more exposed.

Why it matters

Domains stuck at p=none, or with no DMARC at all, can be spoofed: an attacker can send mail that appears to come from that exact domain, which is the basis of many phishing and business-email-compromise attacks. Moving to enforcement is what actually closes that door — and it also improves deliverability, since receivers trust authenticated senders more.

The usual path is to start at p=none to collect reports, confirm all legitimate mail passes SPF and DKIM with alignment, then step up to p=quarantine and finally p=reject. The data suggests many domains complete the first step and then stall.

Check your own domain

Run these free checks on any domain to see where it stands:

Methodology

In June 2026 we queried the DNS TXT records of 116 popular domains. A domain was counted as having SPF if its root TXT records included a v=spf1 record, and as having DMARC if a v=DMARC1 record existed at _dmarc.<domain>. The DMARC policy was read from the record's p= tag. This sample is drawn from high-traffic, well-resourced domains, so it represents a best case — adoption across the broader web is lower. Figures are a point-in-time snapshot and may change as domains update their records.

Found this useful? You're free to cite or reference these figures with a link to this page.