State of Domain Security 2026

Chris MorrisBy Chris Morris, Senior Developer · 2026-06-27

We ran DNS-level security checks across a ranked sample of the most popular domains on the internet and aggregated the results. The picture: SPF is near-universal, but DMARC enforcement and DNSSEC remain minority practices even at the top of the web.

Based on DNS-level checks of 10,000 domains from the Tranco top-domains ranking.

75%
publish an SPF record
66.7%
publish a DMARC record
49.3%
enforce DMARC (quarantine or reject)
12.2%
are DNSSEC-signed

The DMARC enforcement gap

Publishing a DMARC record is not the same as being protected. A record at p=none only monitors; it tells receivers to do nothing when a message fails. Of the 6,673 domains that publish DMARC, here is how the policy splits:

p=reject (blocks failing mail)46.6%
p=quarantine (sends to spam)27.2%
p=none (monitor only)26.1%

Share of domains that publish a DMARC record.

Adoption drops down the rankings

Security hygiene is concentrated at the very top. Each measure below is shown across four rank bands, from the top 1,000 down to rank 10,000. The gradient is the story: the further down the list, the rarer enforcement becomes.

Publishes DMARC

Top 1,00072.1% of 1,000
1,001–2,50065.3% of 1,500
2,501–5,00066.3% of 2,499
5,001–10,00066.3% of 5,000

Enforces DMARC (quarantine or reject)

Top 1,00059.7% of 1,000
1,001–2,50049.3% of 1,500
2,501–5,00050.9% of 2,499
5,001–10,00046.3% of 5,000

DNSSEC-signed

Top 1,00010.9% of 1,000
1,001–2,50012.6% of 1,500
2,501–5,00012.2% of 2,499
5,001–10,00012.3% of 5,000

Publishes CAA

Top 1,00033.6% of 1,000
1,001–2,50020.4% of 1,500
2,501–5,00020.4% of 2,499
5,001–10,00017.9% of 5,000

Who runs the internet’s email

Mail is highly concentrated. Among the 7,281 domains that publish MX records, a handful of providers handle most of it:

Google Workspace34.2% 2,491 domains
Other33.1% 2,411 domains
Microsoft 36515.7% 1,141 domains
Proofpoint6.7% 488 domains
Mimecast1.9% 141 domains
Amazon SES1.6% 117 domains
Yandex1.3% 95 domains
Tencent QQ Mail0.8% 59 domains
Namecheap Private Email0.7% 51 domains
Zoho0.7% 51 domains

Share of domains with MX records, by mail provider.

Who runs the internet’s DNS

The same concentration shows up in authoritative DNS, classified from each domain’s name servers:

Other34.3% 3,428 domains
AWS Route 5324.2% 2,422 domains
Cloudflare23.9% 2,389 domains
Akamai6% 596 domains
Google Cloud DNS4.4% 444 domains
NS12.1% 210 domains
Azure DNS1.8% 180 domains
UltraDNS1% 98 domains
GoDaddy0.6% 60 domains
DNS Made Easy0.5% 45 domains

Share of all tested domains, by DNS provider.

Methodology

We took the top 10,000 domains from the Tranco ranking and resolved each one over public DNS, recording whether it publishes an SPF record, a DMARC record and its policy, a CAA record, and whether the zone is DNSSEC-signed (checked via a DNSKEY query over DNS-over-HTTPS). We also classified each domain’s name servers and mail exchangers to estimate provider market share. Every figure below is reported as a share of the domains we tested, with the denominator stated. We never single out an individual domain, and a detectable misconfiguration is not by itself a security verdict.

A caveat on reading this. These are aggregate measurements of public DNS configuration, not an audit of any one domain. A missing record is not proof of a vulnerability, and a present one is not proof of safety. We report only totals and segments, never individual domains.

Sources