Posts tagged "spf"

2 posts found.

June 25, 2026 20 min read

Your Mailbox Provider Is Your Security Policy: Email Authentication, Re-Cut by Who Runs the Mail

We crossed two full-corpus DNS censuses of the same May 2026 crawl — the MX layer that names who runs each domain's mail, and the SPF/DMARC/MTA-STS/BIMI layer that says whether that mail is authenticated. Across 149.8 million mail-capable apex domains, email-authentication posture turns out to be inherited from the provider, not chosen by the owner: security gateways and Microsoft 365 run the credible anti-spoofing stack on 17–19% of their domains, while the four largest registrar-bundled hosts — IONOS, Hostinger, Namecheap, OVH — run it on under 1.2%, and the largest email category on the Internet stops spoofing on just 3.5% of its 46.7 million domains. The 9% that actually resist spoofing are not spread across the Internet; they cluster behind a handful of operators.

May 29, 2026 18 min read

A State of TXT: 150 Million Mail Domains, and Why Only 9% Actually Stop Spoofing

We queried the email-authentication TXT layer directly — _dmarc, _mta-sts, default._bimi, and apex SPF — across a May 2026 DNS crawl, using MX records as the denominator. Of 150,020,997 mail-capable apex domains, 71.3% publish SPF, 34.1% publish DMARC, but only 11.7% enforce DMARC and just 9.0% run the minimum credible SPF-plus-enforced-DMARC stack. Two-thirds of DMARC records sit at p=none. MTA-STS reaches 0.144% and BIMI 0.084%. And 45.7% of all DMARC reports flow to a single registrar's default configuration. This is the state of email authentication, measured from the records themselves.