1. Introduction#
How widely email authentication is deployed, how it is configured, and how strictly it is enforced are basic quantities for mail operators, domain administrators, and security researchers. SPF, DKIM, and DMARC are prerequisites for inbox delivery at the major mailbox providers, and a companion analysis found that passing authentication is necessary but not sufficient for reaching the inbox [1]. Deployment of these protocols has been measured in snapshots taken in different years, over different domain populations, and from different vantage points, and the rates those studies report are not directly comparable. In addition, the February 2024 requirement that bulk senders to Gmail and Yahoo authenticate their mail and publish a DMARC record [8, 44, 45] postdates almost all of the published measurements.
This paper measures the current state of SPF and DMARC deployment and relates it to the prior literature. We addressed three questions: what fraction of top-million domains publish SPF and DMARC in 2026; how deployment changed between 2015 and 2026, in particular around the February 2024 mandate; and how policy strictness and configuration quality developed over the same period. We actively scanned a random sample of the Tranco top million in July 2026, recording SPF and DMARC publication, DMARC policy, and misconfiguration signals. We extracted a single-source longitudinal series from OpenINTEL, a long-running academic DNS measurement platform, covering 2022 to 2026 and bracketing the mandate. We also systematically reviewed the measurement literature from 2015 to 2026, holding population and vantage fixed within each comparison.
In the 2026 scan, 62.8 percent of resolvable top-million domains published SPF and 47.2 percent published DMARC, and the OpenINTEL series agreed with both figures to within about 1.5 percentage points. SPF deployment has remained near 60 percent since 2022. DMARC deployment rose roughly an order of magnitude over the decade, and the longitudinal series places its acceleration in the six months containing the mandate, when adoption moved from about 27 to 35 percent at roughly four times the prior rate. The share of DMARC domains with an enforcing policy reached about half by 2023 and has remained there. Because this is an observational measurement, we report the timing of these changes and do not attribute cause. The contributions are: (1) a measurement of top-million SPF and DMARC deployment after the 2024 mandate, with confidence intervals; (2) a single-source longitudinal series that times the DMARC acceleration and cross-validates the scan from separate infrastructure; and (3) a systematic review that reports each prior rate with its population, vantage, and year. Inbox placement as a function of authentication is covered by a single study of forged mail; Section 6 discusses this gap. We release the scan code, the OpenINTEL extraction, and the raw data.
2. Background#
SPF, DKIM, and DMARC are DNS-published records that a receiving server can check to decide whether a message is authorized to use the domain in its headers.
SPF (Sender Policy Framework, RFC 7208) lets a domain publish which hosts may send mail in its name, in a TXT record at the domain apex that ends in an all mechanism whose qualifier sets the strictness: -all (hardfail), ~all (softfail), or the permissive +all/?all [2]. DKIM (DomainKeys Identified Mail, RFC 6376) attaches a cryptographic signature to each message, validated against a public key published under a selector in DNS [3]. DMARC (RFC 7489, now superseded by RFC 9989) builds on the two: it ties authentication to the visible From domain and publishes, at _dmarc.<domain>, a policy of none, quarantine, or reject, together with optional aggregate (rua) and failure (ruf) reporting [4, 5]. Only an enforcing policy (quarantine or reject) instructs receivers to act on a failure; p=none requests monitoring only. The 2024 bulk-sender requirements pair DMARC publication with one-click unsubscribe, specified in RFC 8058 [36], and with low complaint rates. The Authenticated Received Chain [37] preserves authentication results across forwarding; it is related to these mechanisms but is not required by the mandate.
These mechanisms give rise to three distinct measurement targets: whether a domain publishes a record, whether a receiving server validates one, and whether an authenticated message reaches the inbox. Rates for one target do not transfer to another, and this paper reports each separately.
3. Data and Methodology#
We combined an active scan, a longitudinal extraction, and a systematic review. Figures measured by us are labeled as such throughout and kept distinct from cited figures. The scan resolves only public DNS records, sends no email, and probes no host; the ethical exposure is limited to DNS query load, which we bounded with low query rates.
3.1 Active measurement of the Tranco top million#
We drew a seeded random sample from the Tranco top-million list (pinned list 94VW2, generated 2026-07-05) [32]. The unit of measurement is the registrable domain, fixed by the Public Suffix List [38]. For each domain we resolved the apex TXT record for SPF and the _dmarc TXT record for DMARC over six public anycast resolvers. A domain was classified as resolvable if its apex query returned NOERROR, with or without a TXT record; a resolvable domain without an SPF record was counted as not publishing SPF, not as missing data. NXDOMAIN responses and timeouts were recorded separately and were never counted as absence of a record. We ran the scan twice with independent seeds to bound sampling variance; because the seeds draw different domains, the two runs bound sampling error, not vantage effects. All queries were issued from a single client origin, a vantage limitation discussed in Section 7. Records were parsed with the checkdmarc and pyspf libraries, and all proportions carry Wilson 95 percent confidence intervals [31]. Two constructs were excluded from the scan. DKIM cannot be measured without the non-public selector, so we report it from the literature only. Evaluating the SPF ten-lookup limit requires recursive expansion of include mechanisms, which we did not perform; we report the multiple-record and permissive-all misconfiguration signals instead. The independent variables of the analysis are calendar year, vantage, and population; the dependent variables are the deployment, policy, and misconfiguration rates. Top-list popularity bias is addressed by subgrouping results by population, denominator definition by Public Suffix List normalization, and resolver vantage by the multi-resolver set; DKIM selector blindness cannot be mitigated by scan design, so DKIM is reported from the literature. The pinned list identifier makes the sample reproducible.
3.2 OpenINTEL longitudinal series#
To place the 2026 snapshot in a time series, we analyzed OpenINTEL, an academic active-DNS measurement platform that publishes daily forward-DNS records for the Tranco top million [33, 46]. For one snapshot in each year from 2022 through 2026, plus a pre-mandate and a post-mandate snapshot, we queried the public Parquet files with DuckDB [47] and computed the SPF and DMARC deployment shares and the DMARC policy distribution over the same-day SOA-apex domain set. The platform began querying the _dmarc name in mid-2023, so the DMARC series starts there. Each snapshot covers the full list of about one million domains, so sampling error is negligible, and the series provides a cross-check on our scan from separate infrastructure. Use of the data is non-commercial research under the CC BY-NC-SA license, with attribution given in the Declarations.
3.3 The prior-measurement corpus#
We searched the ACM Digital Library, IEEE Xplore, USENIX open-access proceedings, dblp, and Crossref for measurement studies reporting SPF, DKIM, or DMARC deployment, configuration, enforcement, or placement between 2015 and 2026. Reporting follows PRISMA [26] and the systematic-review guidelines for computing research [27, 28]. We included peer-reviewed studies that report a numeric rate and excluded vendor and opinion material, which is used only as labeled context. Rates were extracted from the primary publications, and each reference was checked against Crossref, the publisher, USENIX, or the RFC Editor. Because reported rates depend on population and vantage, we did not pool a grand mean; each study is reported with its population, vantage, and year, and trends are read only within a fixed subgroup. A formal proportion meta-analysis was considered and rejected: the standard random-effects estimator [39, 29] with a variance-stabilizing transformation [41] assumes denominator-comparable inputs that are not available across a decade of different populations, the transformation is contested under such heterogeneity [30], and the heterogeneity statistic [40] would be near its ceiling.
4. SPF and DMARC Deployment#
4.1 Cross-sectional rates in 2026#
Our 2026 scan finds SPF on 62.8 percent of resolvable top-million domains (95 percent CI 62.2 to 63.4; two-run pooled, n = 25,855) and DMARC on 47.2 percent (46.6 to 47.9; n = 23,961 with a definitive _dmarc answer). The OpenINTEL 2026 snapshot, measured independently over the full list, gives 61.3 and 45.9 percent, within about 1.5 and 1.3 points of the scan. About 13 percent of sampled domains returned no definitive apex answer and about 20 percent returned no definitive DMARC answer. Non-responding domains are weighted toward parked and defunct entries, which are less likely to publish records, so the definitive-answer DMARC rate is an upper estimate; treating every non-responder as not publishing DMARC gives a lower bound near 38 percent, and the population rate therefore lies between roughly 38 and 47 percent.
4.2 Adoption from 2015 to 2026#
Table 1 and Table 2 place the 2026 rates against the prior literature, and Figure 1 plots the top-list series. Across the top-list studies, SPF rose from about 37 percent to about 50 percent between 2015 and 2020, and the OpenINTEL series holds between 57 and 64 percent across 2022 to 2026. DMARC rose roughly an order of magnitude, from 1.1 percent in 2015 [6] to 47.2 percent in our 2026 scan. The cross-study points cannot resolve when the rise accelerated, because populations and denominators differ between studies; Section 4.3 addresses the timing with the single-source series.

Table 1. SPF deployment, sender-side record publication, curated top-lists. The row for this paper is measured, with a 95 percent CI; the other rows are cited.
| Study | Year | Population | SPF |
|---|---|---|---|
| Gojmerac et al. [11] | 2015 | Alexa 1M | ~37% |
| Durumeric et al. [6] | 2015 | top-1M MX-filtered | ~47% |
| Hu, Peng, Wang [12] | 2018 | Alexa 1M | 44.9% |
| Tatang et al. [13] | 2020 | top-1M | ~50% |
| Czybik et al. [14] | 2023 | Tranco 12M | 56.5% |
| This paper (active scan) | 2026 | Tranco 1M sample | 62.8% (62.2-63.4) |
Table 2. DMARC deployment. Full-zone censuses are shown for contrast and are not pooled with top-lists; denominators are labeled because they are not matched across rows.
| Study | Year | Population (denominator) | DMARC |
|---|---|---|---|
| Durumeric et al. [6] | 2015 | top-1M, MX-filtered | 1.1% |
| Hu, Peng, Wang [12] | 2018 | Alexa 1M | 5.1% |
| Tatang et al. [13] | 2020 | top-1M | ~11% |
| Maroofi et al. [15] | 2021 | 236M census | 0.13% |
| Maroofi et al. [15] | 2021 | country top-500 | 34.3% |
| This paper (active scan) | 2026 | Tranco 1M, all resolvable | 47.2% (46.6-47.9) |
4.3 DMARC adoption around the February 2024 mandate#
In the OpenINTEL series (Table 3), DMARC deployment moved from 24.7 percent in July 2023 to 26.7 percent in January 2024, reached 34.7 percent by July 2024, and continued to 45.9 percent by July 2026. The increase in the half year from January to July 2024, about eight points, is roughly four times the increase in the preceding half year, and that interval contains the February 2024 mandate. Our 2026 scan (Section 4.1) is consistent with the series endpoint.
Table 3. Single-source OpenINTEL Tranco series (full list, about 1M SOA-apex domains per snapshot). DMARC begins mid-2023, when the platform began querying _dmarc. Enforcing = quarantine plus reject as a share of DMARC domains.
| OpenINTEL snapshot | SPF | DMARC | DMARC enforcing | rua |
|---|---|---|---|---|
| 2022-09 | 59.5% | (not yet measured) | - | - |
| 2023-07 | 61.9% | 24.7% | 47.4% | 73.3% |
| 2024-01 (pre-mandate) | 58.6% | 26.7% | 49.2% | 73.7% |
| 2024-07 (post-mandate) | 57.3% | 34.7% | 43.4% | 67.6% |
| 2025-07 | 63.9% | 43.6% | 45.8% | 65.9% |
| 2026-07 | 61.3% | 45.9% | 49.3% | 65.0% |
5. Policy Enforcement and Configuration#
5.1 DMARC policy distribution over time#
Early DMARC deployment was largely monitoring-only, and the enforcing share among publishing domains has risen since. Tatang et al. found about 70 percent of DMARC domains at p=none in 2020, implying roughly 30 percent enforcing, of which about 15 percent used reject [13]. Between 2021 and 2023, Maroofi et al. and Hureau et al. measured enforcing shares near 50 and 44 percent [15, 18]. Our 2026 scan finds 50.9 percent at none, 25.1 percent at quarantine, and 23.9 percent at reject (n = 11,318; 95 percent CIs about one point wide), an enforcing share of about 49 percent. The OpenINTEL series (Table 3, Figure 2) shows that the enforcing share was already about 47 percent by mid-2023 and stayed between 43 and 49 percent through 2026; growth in enforcement occurred mainly over 2020 to 2023 and then plateaued. Domains adopting DMARC in the mandate window skewed toward monitoring-only policies: the p=none share rose to 56.5 percent in July 2024 and returned to near 50 percent by 2026. Among the DMARC domains in our scan, 64.8 percent configure aggregate reporting (rua), compared with the 49 percent Ashiq et al. measured on the .com, .net, and .org zones in 2023 [17]; the higher rate here is in line with a popularity-weighted sample.

5.2 Configuration quality and validation#
Czybik et al. found that 2.9 percent of SPF records contain errors and 34.7 percent authorize more than 100,000 IP addresses, with 5.9 percent lacking a restrictive all [14]; overly broad and permissive SPF also carries the amplification exposure documented by Scheffler et al. [43]. In our scan, of SPF-publishing domains (n = 16,229), 38.7 percent use -all (hardfail), 55.7 percent use ~all (softfail), about 3.0 percent are permissive, and 1.6 percent carry the multiple-record error that invalidates SPF. DKIM detection lower bounds are about 28 percent in both 2015 (Gmail-observed [6]) and 2022 (selector-probed [16]); the 2022 figure is a floor because selectors are not public. Wang et al. found that 84 percent of DKIM-signing domains use keys of 1024 bits or shorter [16]. On the receiver side, Deccio et al. found that about 85 percent of mail servers validate SPF and 53 percent validate all three protocols, and that more than 25 percent violate the SPF ten-lookup limit [19]; Zhang et al. found that roughly 27 percent of servers cannot verify inbound SPF and DMARC at all [20].
6. Discussion#
The results are conditioned by three variables that differ across the literature. The first is population: a rate measured on a curated top list is not comparable to a rate measured on a full zone. SPF has been reported at 31 percent on a large full-zone census [15] and at 56.5 percent on a twelve-million-domain top list [14]; both are internally valid, and the difference lies in the denominator. The second is vantage: publishing a record (about 63 percent of resolvable top-million domains for SPF in our scan) is distinct from validating one (about 85 percent of mail servers [19]), and both are distinct from inbox delivery. The third is enforcement: adoption counts records, and only an enforcing policy changes receiver behavior, so the 2026 state depends on the policy distribution as well as on the count.
The longitudinal series supports one time-resolved statement: DMARC adoption accelerated in the six months containing the February 2024 mandate, while the enforcing fraction did not change, so the mandate window coincides with an inflow of new, mostly monitoring-only adopters. We do not attribute cause. Isolating a causal effect would require a control population unaffected by the mandate and measured over the same window, and several co-occurring factors, including concerted provider action, improved tooling, and a pre-existing upward trend, cannot be separated in these data. The direction of the finding agrees with Kondo et al., who measured DMARC rising about five points over February to May 2024 in the opening months of the mandate [9].
Configuration and validation lag publication. Best-common-practice guidance has recommended strict alignment and an enforcing policy since at least 2020 [35], while the results in Section 5.2 show high rates of over-broad SPF records [14], short DKIM keys [16], and incomplete receiver-side validation [19, 20].
The literature measures deployment from several vantages but contains little on placement. The one end-to-end study of authentication and inbox placement, by Hu and Wang, tested forged mail and found that a strict policy on the spoofed domain limits impersonation, although 34 of 35 providers delivered at least one forged message to the inbox [10]. That study measures spoofing defense, not the placement of legitimate authenticated mail, and no comparable study of legitimate mail exists; vendor reports on this question do not disclose their methods or seed lists. This is the gap identified in the companion analysis [1], and the review found no study that closes it.
7. Limitations#
Our scan and most of the cited literature sample popularity-ranked lists, which over-represent large active domains; the reported rates are therefore upper bounds on the full domain space. The scan resolved from one client origin at one point in time over public anycast resolvers, so it can miss geo-split or CDN-specific records; the two runs bound sampling variance only, not vantage. About a fifth of sampled domains returned no definitive DMARC answer; these are reported separately, and treating them all as non-publishers bounds the population DMARC rate below near 38 percent. DKIM and the SPF ten-lookup limit are outside the scan and are reported from the literature, so those figures carry the populations and years of the cited studies. The OpenINTEL series is a single homogeneous source covering 2022 to 2026, but its _dmarc measurement begins in mid-2023, so the DMARC path from about 11 percent in 2020 to 25 percent in 2023 rests on cross-study comparison rather than on a same-source series; OpenINTEL is also a fixed-vantage platform and shares the geo-vantage caveat at full-list scale. Placement is synthesized from a single forged-mail study; this paper contributes no placement measurement of its own.
8. Related Work#
Large-scale measurement of email security began with Durumeric et al., who combined Gmail SMTP logs with Internet-wide scans to report transport and authentication adoption at top-million scale [6], and Foster et al., who measured provider-side support and enforcement [7]. These studies predate the growth of DMARC and the 2024 mandate; our scan updates their adoption estimates by a decade on a comparable population.
A second group measured individual protocols and constructs: SPF configuration at twelve-million-domain scale [14] and vulnerabilities in SPF validators [21]; DKIM deployment and key strength [16]; and DMARC adoption over time [13], its reporting ecosystem [17], obstacles to its wider deployment [18], and analysis of its reports [25]. Each covers one protocol or one construct in one period; our measurement reports SPF and DMARC jointly on a current sample with a single denominator definition.
A third group measured at census scale: anti-spoofing adoption across hundreds of millions of domains with country and sectoral breakdowns [15], and protection of high-profile domains and their subdomains [24]. These use full-zone denominators, which we report alongside top-list rates but never pool with them.
A fourth group measured the receiving side: validation behavior at mail servers [19, 20], and authentication bypasses that arise when components are composed inconsistently [22, 23]. These studies measure validation; our scan measures publication, and Section 5.2 relates the two sides.
A parallel line measured the transport security of email delivery [34, 42]. Placement has one end-to-end measurement, of forged mail [10], and Kondo et al. measured implementation in the months immediately after the sender guidelines took effect [9]. Our study differs from all of these in measuring top-million SPF and DMARC after the 2024 mandate, in adding a single-source longitudinal series that times the DMARC acceleration and cross-validates an independent scan, and in reporting every rate within a fixed population and vantage subgroup.
9. Conclusion#
This paper set out to measure SPF and DMARC deployment on the top million domains after the February 2024 bulk-sender mandate and to relate the result to a decade of prior measurement. On the first question, 62.8 percent of resolvable top-million domains publish SPF and 47.2 percent publish DMARC in 2026, with agreement to within 1.5 points between two independent infrastructures. On the second, SPF deployment has been near 60 percent since 2022, while DMARC deployment accelerated in the six months containing the mandate and reached 45.9 percent in the July 2026 OpenINTEL snapshot. On the third, about half of DMARC domains enforce, a share reached by 2023 and stable since, while configuration errors, over-broad SPF records, and short DKIM keys remain common. A controlled measurement of authentication and reputation against live inbox placement for legitimate senders is not available in the literature; it is planned as the next study in this series.
Declarations#
Competing interests. The author is the founder of SpamCipher, a commercial cold email and deliverability platform. This is a material competing interest. The analysis rests on primary sources, our own reproducible measurement, and public data; no product is evaluated, recommended, or required by any result.
Author contributions. Francis Davison is the sole author and is responsible for the conception, the measurement and its code, the systematic review and its verification, the analysis, and the accuracy of every figure and value.
Data and code availability. The pinned Tranco list identifier, resolver set, scan code, sampled domains, raw per-domain results, the OpenINTEL extraction and derived series, and the figure-generation code are released with this paper. The cited literature and the OpenINTEL data are public.
Acknowledgment. The longitudinal analysis was made possible by OpenINTEL (https://www.openintel.nl/), a joint project of the University of Twente, SIDN, NLnet Labs and SURF; OpenINTEL open-access data is licensed CC BY-NC-SA 4.0 and used here for non-commercial research.
Funding. None external; produced by SpamCipher.
---
