Key findings
- 0.7%Run the full modern stack
SPF + DMARC enforced + MTA-STS + TLS-RPT + BIMI, together — across all 8,907 resolved domains.
- 68.2%Publish a DMARC record
Up from a bare majority a few years ago — but adoption isn't the same as protection.
- 1 in 4DMARC adopters still at p=none
25% of domains with a DMARC record are monitor-only — visibility without enforcement.
- 2.6%Publish an MTA-STS record
The transport-security layer almost nobody has heard of, let alone deployed.
- 9.5%Publish a BIMI record
Brand logos in the inbox remain a small-minority feature, even among enforced domains.
- 3.3xDMARC-adoption gap by host
Managed mailbox providers hit 87.5–95.5% adoption; self-managed mail servers sit at 28.7%.
The enforcement gap
68.2%of the domains we scanned publish a DMARC record — a healthy majority. But a DMARC record alone doesn't stop spoofed mail; the p= tag does. Split the same population by policy and the picture changes:
- 31.8% No DMARC record
- 17.4% p=none (monitor only)
- 18.3% p=quarantine
- 31.6% p=reject
- 0.9% Malformed / typo'd policy
Reframed as a share of adopters only: about 25% of domains with a DMARC record are still sitting at p=none — publishing the record, collecting reports, but taking no action on failing mail. The remaining 73% enforce, at quarantine or reject.
Reporting completeness tells a parallel story: 85.6% of adopters have an rua= address configured, so most domains that publish DMARC are at least watching their mail flow. Far fewer — 23.9% — set an explicit sp= subdomain policy, leaving most subdomains to inherit whatever the organizational policy happens to be.
SPF tells a similar quality story one layer down: 76% of domains publish an SPF record, and of those, 50.1% use a hard-fail -all qualifier versus 44.5% on the weaker ~all. A small 0.7% publish more than one SPF record — a configuration error that hard-fails the check entirely (RFC 7208 permits only one).
The forgotten layers
SPF and DMARC get almost all the attention — they're older, better-known, and Google/Yahoo's 2024 bulk-sender rules put them on every mailbox admin's radar. Three newer layers close real gaps that SPF/DKIM/DMARC don't touch, and adoption for all three is still near zero:
- MTA-STS (2.6% adoption) enforces TLS encryption for inbound mail, closing a downgrade-attack window. Of the domains that publish it, 53% run in full enforce mode rather than testing.
- TLS-RPT (3% adoption) reports on TLS delivery failures — the visibility layer that makes MTA-STS safe to turn on without flying blind.
- BIMI (9.5% adoption) displays a verified brand logo in the inbox — a deliverability and trust signal, and the only one of the three with a direct end-user-visible payoff.
Placed on the same scale as SPF and DMARC, the drop-off is stark:
0.7%of scanned domains run every layer at once — SPF present, DMARC enforced, MTA-STS, TLS-RPT, and BIMI, together. That's the headline number for this edition: the modern email security stack, in its complete form, is close to nonexistent even among domains that have already done the harder work of enforcing DMARC.
Where you host decides your posture
Bucket domains by their MX provider and a clear divide shows up. Managed mailbox platforms — Microsoft 365, Google Workspace, Proofpoint, Mimecast — ship DMARC guidance and, increasingly, enforce it for new tenants. Self-managed mail servers get none of that nudge.
- DMARC adoption
- SPF adoption
| Provider | DMARC | SPF |
|---|---|---|
| Microsoft 365 | 92.4% | 99.2% |
| Google Workspace | 87.5% | 92.9% |
| Proofpoint | 95.5% | 97.1% |
| Mimecast | 95.1% | 97.5% |
| Self-managed / no MX | 28.7% | 29.9% |
The best-performing managed provider in our sample reaches 95.5% DMARC adoption; self-managed mail servers sit at 28.7% — roughly a 3.3xgap. If you administer your own mail infrastructure, you're the segment least likely to have DMARC guardrails from your provider — which makes it worth checking your own posture directly.
By rank band
We split the scan into three Tranco rank bands — top 1,000, 1,000–5,000, and 5,000–10,000 — to see whether more-visited sites carry a stronger posture. BIMI shows the clearest gradient; DMARC, SPF, MTA-STS, and TLS-RPT are surprisingly flat across the whole top 10,000.
- DMARC adoption
- BIMI adoption
| Rank band | DMARC | SPF | MTA-STS | TLS-RPT | BIMI | Full stack |
|---|---|---|---|---|---|---|
| 1–1,000 | 74% | 76.9% | 3.2% | 4.2% | 16.9% | 0.6% |
| 1,000–5,000 | 68.2% | 75.5% | 2.7% | 3.3% | 10.3% | 0.9% |
| 5,000–10,000 | 67.1% | 76.2% | 2.4% | 2.6% | 7.4% | 0.7% |
BIMI adoption in the top 1,000 (16.9%) is more than double the 5,000–10,000 band (7.4%) — brand logos in the inbox are still a top-tier feature. Full-stack adoption, meanwhile, barely moves across bands (0.6%–0.9%): even the most prominent domains on the internet rarely run every layer together.
Methodology
We scanned the Tranco top 10,000 domain list, snapshot JZ2VY, pinned 2026-07-01. 8,907 of 10,000 domains resolved (89.1% coverage) — every percentage in this report is a share of that resolved population, not the full 10,000.
The scan reuses DDMARC's existing DNS-record checker, run offline against public DNS records only. No customer data, no production systems, no domain-level results published — aggregates only.
| Signal | Source | Note |
|---|---|---|
| DMARC | _dmarc.<domain> TXT | Presence, policy (p=), pct=, sp=, rua=/ruf= presence |
| SPF | Root domain TXT | Presence, all-qualifier (-/~/?/+), multiple-record detection |
| MTA-STS | _mta-sts.<domain> TXT, then HTTPS policy fetch | DNS presence for all domains; policy mode fetched only for record-having domains |
| TLS-RPT | _smtp._tls.<domain> TXT | Presence |
| BIMI | default._bimi.<domain> TXT | Record presence only (no VMC/SVG validation in this edition) |
| MX / mailbox provider | MX records | Bucketed into Microsoft, Google, Proofpoint, Mimecast, self-managed/other |
| DKIM (caveated) | Common selector probe | Lower-bound only — see limits. Excluded from headline stats. |
Limits — read before you cite a number
- DKIM under-counts: selector discovery from DNS alone is unsolved. We probed only common selectors (default, google, selector1, selector2, k1, s1), which gives a lower-bound ~51% signal — not a real adoption number, and kept out of every headline stat.
- p=none reflects a state, not an intent: a domain could be newly monitoring or permanently parked at p=none. We report what's published, not why.
- MTA-STS and BIMI are checked at the DNS layer for every domain; the HTTPS policy fetch (enforce/testing mode, VMC/SVG validity) only ran for the subset of domains that already publish the DNS record.
- This is a single snapshot (Tranco JZ2VY, 2026-07-01), not a trend line. We plan to re-run this scan annually to track change over time.
- 8,907 of the top 10,000 domains resolved (89.1%). The remaining 10.9% timed out, had no DNS records, or were parked/unregistered at scan time and are excluded from every percentage.
- SPF's real deliverability impact depends on mail-flow telemetry we don't have from public DNS alone — we report record presence and qualifier strength, not pass/fail rates.
Frequently asked questions
What percentage of top domains have a DMARC record?
68.2% of the 8,907 resolved domains in our Tranco top-10,000 scan (snapshot JZ2VY, 2026-07-01) publish a DMARC record. The remaining 31.8% have none at all.
Is publishing a DMARC record enough to stop spoofing?
Not on its own. About 1 in 4 domains with a DMARC record (25%) are still set to p=none — monitoring mode, with no enforcement action against failing mail. Only domains at p=quarantine or p=reject (73% of adopters, 49.9% of all domains) actually block or quarantine spoofed mail.
What is MTA-STS, and how many domains actually use it?
MTA-STS (SMTP MTA Strict Transport Security) enforces TLS encryption for inbound mail, closing a downgrade-attack gap that SPF, DKIM, and DMARC don't cover. Only 2.6% of scanned domains publish an MTA-STS record, and about half of those (53%) run it in full enforce mode rather than testing.
How many domains run the full modern email security stack?
Just 0.7% — SPF present, DMARC enforced (quarantine or reject), MTA-STS, TLS-RPT, and BIMI, all together. Each individual layer beyond SPF and DMARC is a single-digit-percent adoption story on its own; combined, the full stack is close to nonexistent.
Does an organization's email provider affect its DMARC posture?
Substantially. Domains on managed providers — Microsoft 365 (92.4%), Proofpoint (95.5%), Mimecast (95.1%), and Google Workspace (87.5%) — adopt DMARC at 87–96%. Self-managed mail servers (or domains with no discernible MX provider) sit at 28.7%, a roughly 3x gap.