This ToolTrusted study reports original email authentication statistics measured from live DNS across 10,000 of the world’s most-linked domains in June 2026. We wanted to answer a simple question with hard data instead of guesswork: now that Google, Yahoo and Microsoft require bulk senders to authenticate, how many domains have actually done it — and how many stop at the bare minimum? The headline: SPF is nearly universal, DMARC adoption is climbing, but real DMARC enforcement still lags far behind, and the newer TLS and brand-indicator layers are barely off the ground. Every figure below is queried, not estimated.
Email authentication statistics at a glance
These email authentication statistics, taken across the full sample, show where the email ecosystem stands today. SPF is the most-adopted standard, but the gap between publishing DMARC and actually enforcing it is the single biggest story in the data.
Email authentication adoption across 10,000 top domains
Share of domains publishing each record, June 2026.
The table below summarizes adoption for every record we measured, across all 10,000 domains and — separately — across the 8,489 domains that actually receive mail (those with at least one MX record), which is the more meaningful denominator for inbound-facing standards.
| Standard | All domains | Mail-enabled domains | What it protects |
|---|---|---|---|
| SPF | 84.5% | 95.3% | Which servers may send as your domain |
| DMARC (any) | 76.6% | 86.5% | Spoofing policy + reporting |
| DMARC at enforcement | 54.0% | — | Actually blocking spoofed mail |
| MTA-STS | 3.6% | 4.3% | Forces encrypted (TLS) delivery |
| TLS-RPT | 4.5% | 5.3% | Reports on TLS delivery failures |
| BIMI | 9.4% | — | Verified brand logo in the inbox |
How we collected these email authentication statistics
We took the top 10,000 domains from the Majestic Million, a widely cited ranking of the most-referenced domains on the web, and queried live public DNS for each one in June 2026 using Google and Cloudflare resolvers. For every domain we checked:
- SPF — the root
TXTrecord, looking forv=spf1and reading itsallqualifier. - DMARC — the
TXTrecord at_dmarc.<domain>, reading thep=policy tag. - MTA-STS — the
TXTrecord at_mta-sts.<domain>(v=STSv1). - TLS-RPT — the
TXTrecord at_smtp._tls.<domain>(v=TLSRPTv1). - BIMI — the
TXTrecord atdefault._bimi.<domain>(v=BIMI1). - MX — whether the domain receives mail at all.
The method is intentionally transparent and reproducible: these are public DNS records, defined in their respective RFCs (for example, RFC 7489 for DMARC), that any mailbox provider checks on every message. Two caveats apply, as with every study of this kind. First, a top-domain sample skews toward larger, better-resourced organizations, so real-world adoption across all domains is almost certainly lower than the numbers here — these figures are a best case. Second, we measure the presence and policy of each DNS record, not whether every sending stream is correctly aligned; a published record is necessary but not always sufficient.
We are publishing the email authentication statistics this way — sample size stated, records named, RFCs linked, no proprietary black box — precisely because the email community deserves numbers it can check rather than vendor marketing claims it cannot. We intend to re-run the same measurement on the same ranking each year, so the figures below become a baseline you can watch move over time. Where our results line up with the broad direction reported by DMARC vendors and the industry’s working groups, that convergence is a good sign the picture is real; where a single sender’s own data differs, the difference usually comes down to which population of domains was sampled.
SPF adoption is nearly universal — but often toothless
SPF adoption leads every other standard at 84.5% of all domains and 95.3% of mail-enabled domains. That is the good news. The catch is in the qualifier. An SPF record only protects you if it ends in -all (hard fail), which tells receivers to reject mail from servers not on the list. A record ending in ~all (soft fail) asks receivers to accept the mail anyway and merely flag it.
SPF strictness
The all qualifier on published SPF records.
Only 47.9% of SPF records use a strict -all, while 46.4% settle for the softer ~all. Soft fail is a reasonable safety setting while you are still discovering your legitimate senders, but if you never tighten it, SPF does little on its own. This is exactly why DMARC exists — and why the SPF qualifier matters less once a strong DMARC policy is in force. Our SPF record guide walks through choosing the right qualifier and staying under the 10-lookup limit.
DMARC adoption is rising, enforcement is not
This is the heart of the study. DMARC adoption reaches 76.6% of all domains — a clear majority — which sounds encouraging until you look at the policy each record actually publishes. A DMARC record at p=none blocks nothing: it only collects reports. Real protection starts at p=quarantine and is complete at p=reject.
How strong is published DMARC?
Policy distribution among the 7,659 domains that publish a DMARC record.
Of the domains that publish DMARC, 29.4% are stuck at p=none — monitoring only, providing no protection against spoofing. Just 70.5% have reached enforcement (quarantine or reject), and 43.2% have gone all the way to p=reject. Measured against the entire sample, only 54.0% of domains actually enforce DMARC.
p=none and are still spoofable.The pattern is consistent with what deliverability teams see in the field: organizations publish p=none to satisfy the Google and Yahoo bulk-sender requirement, collect reports, and then never finish the rollout to enforcement — the step that actually stops criminals from spoofing their domain. Moving from p=none to p=reject safely is the highest-value authentication work most senders have left to do. Our DMARC record guide covers the staged rollout, and the deliverability hub explains why enforcement also protects your sending reputation. The enforcement gap also varies dramatically by domain type — see our DMARC adoption by TLD breakdown for which TLDs and countries actually enforce.
The TLS and brand layers are barely off the ground
Beyond the core three, the newer standards remain rare. MTA-STS, which forces encrypted delivery to your mail servers, sits at just 3.6%. TLS-RPT, its reporting companion, is at 4.5%. BIMI adoption — the standard that displays your verified logo next to authenticated mail — reaches 9.4%, with 637 domains in the sample attaching a verified mark certificate (VMC).
Low adoption here is an opportunity, not just a gap. Because BIMI requires DMARC at enforcement, every domain that finishes its DMARC rollout unlocks a visible inbox benefit competitors mostly do not have yet. The same logic applies to MTA-STS for security-conscious senders. Guides: MTA-STS, TLS-RPT, and BIMI.
What these email authentication statistics mean for you
If you run email for a domain, these email authentication statistics turn into a short, ordered checklist. The averages above are a best case drawn from top domains; most senders are behind them, which means the work below is both common and high-impact.
- Publish SPF and end it in
-allonce you have confirmed your legitimate senders. You are likely already in the 84.5% with a record — make sure it is the strict kind. - Publish DMARC and finish the rollout. Don’t be part of the 29.4% stuck at
p=none. Move top=quarantine, thenp=reject. - Add the TLS layer. MTA-STS and TLS-RPT put you in the 3.6% minority that enforces encrypted delivery.
- Earn your logo with BIMI once DMARC is at enforcement — a visible win 9.4% of domains have so far.
The encouraging way to read these email authentication statistics is that the hardest part — getting a record published at all — is mostly done across the top of the web; the remaining work is finishing rollouts that are already started. You can check exactly where your own domain stands in under a minute with our free, no-signup lookups, then close any gap with the matching guide.
Cite this research
This study is free to use and share under a Creative Commons BY 4.0 licence. If you reference the data, please credit ToolTrusted with a link to this page — that is all we ask.
APA: ToolTrusted. (2026). The State of Email Authentication 2026. ToolTrusted. https://tooltrusted.com/email-authentication-statistics/
To embed a link back to this research, copy the snippet below:
<p>Source: <a href="https://tooltrusted.com/email-authentication-statistics/">The State of Email Authentication 2026 — ToolTrusted</a></p>
Related reading
Email authentication statistics FAQ
How many domains use DMARC?
In our June 2026 study of the top 10,000 domains, 76.6% published a DMARC record. But publishing is not the same as enforcing: only 54.0% of all domains had DMARC at a policy of quarantine or reject. The rest sit at p=none, which monitors but blocks nothing. Adoption among all domains on the internet is lower still, because top domains are better resourced than average.
What is a good DMARC enforcement rate?
For your own domain, the target is 100% — a single p=reject policy covering all your sending. Across the ecosystem, 70.5% of domains that publish DMARC have reached enforcement in our sample. If you are still at p=none, you have a published record but no actual protection against spoofing, and you are in the largest group in this study.
Is SPF adoption enough on its own?
No. SPF adoption is high (84.5%), but 46.4% of records use the lenient ~all qualifier, which asks receivers to accept unauthorized mail rather than reject it. SPF also breaks on forwarding. It is necessary but not sufficient — you need DKIM and an enforced DMARC policy on top of it for real anti-spoofing protection.
Why is BIMI adoption so low?
BIMI adoption (9.4%) is gated behind DMARC enforcement: you cannot display a BIMI logo until your DMARC policy is at quarantine or reject. Since only 54.0% of domains enforce DMARC, the pool of domains eligible for BIMI is small — and many that are eligible have not added the record or the verified mark certificate yet. That makes it an easy differentiator for senders who finish their DMARC rollout.
How was this data measured?
We queried live public DNS for the top 10,000 domains in the Majestic Million during June 2026, reading each domain’s SPF, DMARC, MTA-STS, TLS-RPT, BIMI and MX records directly — the same records mailbox providers check. No proprietary data or estimates were used. Because these are public records, anyone can reproduce the method for any domain using our free lookup tools.
Cite this article
Raj Kapoor. "The State of Email Authentication in 2026: SPF, DMARC and BIMI Adoption Across 10,000 Domains." ToolTrusted, June 25, 2026, https://tooltrusted.com/email-authentication-statistics/.
Raj Kapoor. (2026). The State of Email Authentication in 2026: SPF, DMARC and BIMI Adoption Across 10,000 Domains. ToolTrusted. https://tooltrusted.com/email-authentication-statistics/
Notice something outdated or incorrect in this review? Let us know below, and our team will update it within 24 hours.