Skip to content
Original researchThe DDMARC Research Desk

Beyond DMARC: The State of the Modern Email Security Stack (2026)

SPF and DMARC are going mainstream. MTA-STS, TLS-RPT, and BIMI are not — and almost nobody runs the complete stack. An original DNS scan of the Tranco top 10,000.

0.7%

of the Tranco top 10,000 run the full modern email security stack — SPF, enforced DMARC, MTA-STS, TLS-RPT, and BIMI, together. See methodology ↓

The DDMARC editorsSnapshot JZ2VY · 2026-07-01n=8,907

Key findings

  • 0.7%
    Run the full modern stack

    SPF + DMARC enforced + MTA-STS + TLS-RPT + BIMI, together — across all 8,907 resolved domains.

  • 68.2%
    Publish a DMARC record

    Up from a bare majority a few years ago — but adoption isn't the same as protection.

  • 1 in 4
    DMARC adopters still at p=none

    25% of domains with a DMARC record are monitor-only — visibility without enforcement.

  • 2.6%
    Publish an MTA-STS record

    The transport-security layer almost nobody has heard of, let alone deployed.

  • 9.5%
    Publish a BIMI record

    Brand logos in the inbox remain a small-minority feature, even among enforced domains.

  • 3.3x
    DMARC-adoption gap by host

    Managed mailbox providers hit 87.5–95.5% adoption; self-managed mail servers sit at 28.7%.

The enforcement gap

68.2%of the domains we scanned publish a DMARC record — a healthy majority. But a DMARC record alone doesn't stop spoofed mail; the p= tag does. Split the same population by policy and the picture changes:

DMARC policy distribution across all resolved domainsNo DMARC record: 31.8%. p=none (monitor only): 17.4%. p=quarantine: 18.3%. p=reject: 31.6%. Malformed / typo'd policy: 0.9%.
  • 31.8% No DMARC record
  • 17.4% p=none (monitor only)
  • 18.3% p=quarantine
  • 31.6% p=reject
  • 0.9% Malformed / typo'd policy
Source: DDMARC — DNS scan of the Tranco top 10,000 (snapshot JZ2VY, 2026-07-01, n=8,907 resolved).

Reframed as a share of adopters only: about 25% of domains with a DMARC record are still sitting at p=none — publishing the record, collecting reports, but taking no action on failing mail. The remaining 73% enforce, at quarantine or reject.

Reporting completeness tells a parallel story: 85.6% of adopters have an rua= address configured, so most domains that publish DMARC are at least watching their mail flow. Far fewer — 23.9% — set an explicit sp= subdomain policy, leaving most subdomains to inherit whatever the organizational policy happens to be.

SPF tells a similar quality story one layer down: 76% of domains publish an SPF record, and of those, 50.1% use a hard-fail -all qualifier versus 44.5% on the weaker ~all. A small 0.7% publish more than one SPF record — a configuration error that hard-fails the check entirely (RFC 7208 permits only one).

The forgotten layers

SPF and DMARC get almost all the attention — they're older, better-known, and Google/Yahoo's 2024 bulk-sender rules put them on every mailbox admin's radar. Three newer layers close real gaps that SPF/DKIM/DMARC don't touch, and adoption for all three is still near zero:

  • MTA-STS (2.6% adoption) enforces TLS encryption for inbound mail, closing a downgrade-attack window. Of the domains that publish it, 53% run in full enforce mode rather than testing.
  • TLS-RPT (3% adoption) reports on TLS delivery failures — the visibility layer that makes MTA-STS safe to turn on without flying blind.
  • BIMI (9.5% adoption) displays a verified brand logo in the inbox — a deliverability and trust signal, and the only one of the three with a direct end-user-visible payoff.

Placed on the same scale as SPF and DMARC, the drop-off is stark:

The modern email security stack, stage by stageSPF present: 76%. DMARC adopted: 68.2%. DMARC enforced: 49.900000000000006%. MTA-STS present: 2.6%. Full modern stack: 0.7%. Each layer is rarer than the last — the drop from DMARC enforcement to MTA-STS is the sharpest.SPF presentBasic sender authorization76%DMARC adoptedAny policy, including p=none68.2%DMARC enforcedp=quarantine or p=reject49.900000000000006%MTA-STS presentTransport-layer TLS enforcement2.6%Full modern stackSPF + enforced DMARC + MTA-STS + TLS-RPT + BIMI0.7%
Source: DDMARC — DNS scan of the Tranco top 10,000 (snapshot JZ2VY, 2026-07-01, n=8,907 resolved).

0.7%of scanned domains run every layer at once — SPF present, DMARC enforced, MTA-STS, TLS-RPT, and BIMI, together. That's the headline number for this edition: the modern email security stack, in its complete form, is close to nonexistent even among domains that have already done the harder work of enforcing DMARC.

Where you host decides your posture

Bucket domains by their MX provider and a clear divide shows up. Managed mailbox platforms — Microsoft 365, Google Workspace, Proofpoint, Mimecast — ship DMARC guidance and, increasingly, enforce it for new tenants. Self-managed mail servers get none of that nudge.

DMARC and SPF adoption by MX / mailbox providerMicrosoft 365: DMARC 92.4%, SPF 99.2%. Google Workspace: DMARC 87.5%, SPF 92.9%. Proofpoint: DMARC 95.5%, SPF 97.1%. Mimecast: DMARC 95.1%, SPF 97.5%. Self-managed / no MX: DMARC 28.7%, SPF 29.9%.Microsoft 36592.4%99.2%Google Workspace87.5%92.9%Proofpoint95.5%97.1%Mimecast95.1%97.5%Self-managed / no MX28.7%29.9%
  • DMARC adoption
  • SPF adoption
Source: DDMARC — DNS scan of the Tranco top 10,000 (snapshot JZ2VY, 2026-07-01, n=8,907 resolved), bucketed by MX record.
ProviderDMARCSPF
Microsoft 36592.4%99.2%
Google Workspace87.5%92.9%
Proofpoint95.5%97.1%
Mimecast95.1%97.5%
Self-managed / no MX28.7%29.9%

The best-performing managed provider in our sample reaches 95.5% DMARC adoption; self-managed mail servers sit at 28.7% — roughly a 3.3xgap. If you administer your own mail infrastructure, you're the segment least likely to have DMARC guardrails from your provider — which makes it worth checking your own posture directly.

By rank band

We split the scan into three Tranco rank bands — top 1,000, 1,000–5,000, and 5,000–10,000 — to see whether more-visited sites carry a stronger posture. BIMI shows the clearest gradient; DMARC, SPF, MTA-STS, and TLS-RPT are surprisingly flat across the whole top 10,000.

DMARC and BIMI adoption by Tranco rank bandRank 1–1,000: DMARC 74%, BIMI 16.9%. Rank 1,000–5,000: DMARC 68.2%, BIMI 10.3%. Rank 5,000–10,000: DMARC 67.1%, BIMI 7.4%.0%25%50%75%100%74%16.9%1–1,00068.2%10.3%1,000–5,00067.1%7.4%5,000–10,000
  • DMARC adoption
  • BIMI adoption
Source: DDMARC — DNS scan of the Tranco top 10,000 (snapshot JZ2VY, 2026-07-01), grouped by rank band.
Rank bandDMARCSPFMTA-STSTLS-RPTBIMIFull stack
1–1,00074%76.9%3.2%4.2%16.9%0.6%
1,000–5,00068.2%75.5%2.7%3.3%10.3%0.9%
5,000–10,00067.1%76.2%2.4%2.6%7.4%0.7%

BIMI adoption in the top 1,000 (16.9%) is more than double the 5,000–10,000 band (7.4%) — brand logos in the inbox are still a top-tier feature. Full-stack adoption, meanwhile, barely moves across bands (0.6%–0.9%): even the most prominent domains on the internet rarely run every layer together.

Methodology

We scanned the Tranco top 10,000 domain list, snapshot JZ2VY, pinned 2026-07-01. 8,907 of 10,000 domains resolved (89.1% coverage) — every percentage in this report is a share of that resolved population, not the full 10,000.

The scan reuses DDMARC's existing DNS-record checker, run offline against public DNS records only. No customer data, no production systems, no domain-level results published — aggregates only.

SignalSourceNote
DMARC_dmarc.<domain> TXTPresence, policy (p=), pct=, sp=, rua=/ruf= presence
SPFRoot domain TXTPresence, all-qualifier (-/~/?/+), multiple-record detection
MTA-STS_mta-sts.<domain> TXT, then HTTPS policy fetchDNS presence for all domains; policy mode fetched only for record-having domains
TLS-RPT_smtp._tls.<domain> TXTPresence
BIMIdefault._bimi.<domain> TXTRecord presence only (no VMC/SVG validation in this edition)
MX / mailbox providerMX recordsBucketed into Microsoft, Google, Proofpoint, Mimecast, self-managed/other
DKIM (caveated)Common selector probeLower-bound only — see limits. Excluded from headline stats.

Limits — read before you cite a number

  • DKIM under-counts: selector discovery from DNS alone is unsolved. We probed only common selectors (default, google, selector1, selector2, k1, s1), which gives a lower-bound ~51% signal — not a real adoption number, and kept out of every headline stat.
  • p=none reflects a state, not an intent: a domain could be newly monitoring or permanently parked at p=none. We report what's published, not why.
  • MTA-STS and BIMI are checked at the DNS layer for every domain; the HTTPS policy fetch (enforce/testing mode, VMC/SVG validity) only ran for the subset of domains that already publish the DNS record.
  • This is a single snapshot (Tranco JZ2VY, 2026-07-01), not a trend line. We plan to re-run this scan annually to track change over time.
  • 8,907 of the top 10,000 domains resolved (89.1%). The remaining 10.9% timed out, had no DNS records, or were parked/unregistered at scan time and are excluded from every percentage.
  • SPF's real deliverability impact depends on mail-flow telemetry we don't have from public DNS alone — we report record presence and qualifier strength, not pass/fail rates.

Frequently asked questions

What percentage of top domains have a DMARC record?

68.2% of the 8,907 resolved domains in our Tranco top-10,000 scan (snapshot JZ2VY, 2026-07-01) publish a DMARC record. The remaining 31.8% have none at all.

Is publishing a DMARC record enough to stop spoofing?

Not on its own. About 1 in 4 domains with a DMARC record (25%) are still set to p=none — monitoring mode, with no enforcement action against failing mail. Only domains at p=quarantine or p=reject (73% of adopters, 49.9% of all domains) actually block or quarantine spoofed mail.

What is MTA-STS, and how many domains actually use it?

MTA-STS (SMTP MTA Strict Transport Security) enforces TLS encryption for inbound mail, closing a downgrade-attack gap that SPF, DKIM, and DMARC don't cover. Only 2.6% of scanned domains publish an MTA-STS record, and about half of those (53%) run it in full enforce mode rather than testing.

How many domains run the full modern email security stack?

Just 0.7% — SPF present, DMARC enforced (quarantine or reject), MTA-STS, TLS-RPT, and BIMI, all together. Each individual layer beyond SPF and DMARC is a single-digit-percent adoption story on its own; combined, the full stack is close to nonexistent.

Does an organization's email provider affect its DMARC posture?

Substantially. Domains on managed providers — Microsoft 365 (92.4%), Proofpoint (95.5%), Mimecast (95.1%), and Google Workspace (87.5%) — adopt DMARC at 87–96%. Self-managed mail servers (or domains with no discernible MX provider) sit at 28.7%, a roughly 3x gap.

— Fin.
ShareX / TwitterLinkedIn
Free to start · 14-day trial · cancel anytime

From spoofed to enforced.

p=none
5 min
p=quarantine
Week 2
p=reject
Week 4–6

Billed when your 14-day trial ends · cancel anytime before then