Email auth adoption stalls at top 10 000 domains

A June 2026 scan of the Tranco top 10 000 domains shows 46.5% of DMARC records enforce a p=reject policy, while 97.8% lack an MTA‑STS policy and 25% publish no SPF record [Dev.to]. Vadim Ivanov ran SPF, DKIM, DMARC, and MTA‑STS checks against the top 10 000 sites using public resolvers (1.1.1.1 and 8.8.8.8). Of the 9 937 domains that resolved, 3 318 (33.4%) published no DMARC record at all. Among the 6 619 domains that do publish DMARC, only 46.5% set the policy to p=reject. A quarter (26%) remain at p=none, the monitor-only mode that provides no enforcement. SPF coverage is similarly incomplete: 25% of domains have no SPF record, and 1.7% exceed the ten-lookup limit defined in RFC 7208, causing a permerror that silently fails authentication [Dev.to].

Transport-level protections are almost absent. 97.8% of the sample lack an MTA‑STS policy, and 97.1% publish no TLS‑RPT record. Only 8.9% publish a BIMI record, rising to 15.7% among the top 1 000 domains. The lack of MTA‑STS means receivers fall back to opportunistic STARTTLS, exposing mail to downgrade attacks [Dev.to].

The data reveals a gap between configuration and real protection. Most operators stop at the monitoring stage, with only 46.5% of DMARC records enforcing a p=reject policy. The failure to enforce DMARC policies and implement transport layer security leaves the top of the web vulnerable to spoofing and downgrade attacks.