Posts tagged "security"

3 posts found.

June 25, 2026 20 min read

Your Mailbox Provider Is Your Security Policy: Email Authentication, Re-Cut by Who Runs the Mail

We crossed two full-corpus DNS censuses of the same May 2026 crawl — the MX layer that names who runs each domain's mail, and the SPF/DMARC/MTA-STS/BIMI layer that says whether that mail is authenticated. Across 149.8 million mail-capable apex domains, email-authentication posture turns out to be inherited from the provider, not chosen by the owner: security gateways and Microsoft 365 run the credible anti-spoofing stack on 17–19% of their domains, while the four largest registrar-bundled hosts — IONOS, Hostinger, Namecheap, OVH — run it on under 1.2%, and the largest email category on the Internet stops spoofing on just 3.5% of its 46.7 million domains. The 9% that actually resist spoofing are not spread across the Internet; they cluster behind a handful of operators.

June 24, 2026 15 min read

.ai After the Gold Rush: 94% Resolve, Half Show No Real Use, and 9% Are For Sale

A follow-up to our .ai gold-rush analysis. We measured what a million .ai domains actually do — using our June 2026 typed-DNS crawl of 1,013,951 registrable roots across A, MX, NS, and TXT records. 94.3% resolve, but only 48.5% show any real-use signal and 20.4% carry a SaaS verification token; meanwhile ~9% sit on for-sale nameservers, startup adoption keeps climbing (YC cohorts ~23%→32%), and .ai is measurably one of the cleanest fast-growing TLDs for abuse.

May 29, 2026 18 min read

A State of TXT: 150 Million Mail Domains, and Why Only 9% Actually Stop Spoofing

We queried the email-authentication TXT layer directly — _dmarc, _mta-sts, default._bimi, and apex SPF — across a May 2026 DNS crawl, using MX records as the denominator. Of 150,020,997 mail-capable apex domains, 71.3% publish SPF, 34.1% publish DMARC, but only 11.7% enforce DMARC and just 9.0% run the minimum credible SPF-plus-enforced-DMARC stack. Two-thirds of DMARC records sit at p=none. MTA-STS reaches 0.144% and BIMI 0.084%. And 45.7% of all DMARC reports flow to a single registrar's default configuration. This is the state of email authentication, measured from the records themselves.