In the sprawling digital ecosystem of the modern web, trust hinges on invisible scaffolding: DNS configurations, registrar records, and cryptographic signaling that determines whether your inbox will deliver truth or treachery. With phishing, spoofing, and business email compromise continuing to exploit lapses in email authentication, one question looms large: Just how secure are the world’s most-visited domains?
Armed with DNS records (MX, SPF, DMARC) and whois metadata from the top 10 million domains on the internet, this analysis offers one of the most expansive snapshots of global email hygiene to date. From configuration trends to systemic weak points, we peel back the layers of digital trust to reveal what’s been hiding in plain sight.
The findings? At once expected and alarming. While many domains have embraced modern security standards, millions remain vulnerable — inviting attackers to impersonate, manipulate, and deceive. By analyzing registrar behavior, domain age, and adoption patterns, we uncover which corners of the internet are actively fortifying their defenses and which have left the door ajar.
Sender Policy Framework (SPF): Adoption and Pitfalls in the Wild
SPF serves as the internet’s first line of defense against email spoofing, specifying which IP addresses are authorized to send mail on behalf of a domain. But while it’s foundational to email authentication, its real-world implementation varies wildly across the web’s most popular domains.
SPF Adoption at a Glance
Out of the 10 million domains analyzed:
- 3,666,641 (36.7%) published a syntactically valid SPF record
- 140,843 (1.4%) published an SPF record with syntax errors or excessive DNS lookups
- 6,192,516 (61.9%) had no SPF record at all
This means that 63.3% of the 10 million most popular domains on the internet remain vulnerable to unauthorized sending and/or delivery issues.
Common Misconfigurations
Among the domains with SPF records:
- 110,732 (1.1%) exceeded the 10-DNS-lookup limit, rendering SPF evaluations unreliable.
4,479 (0.045%) used the `+all` mechanism (i.e., allow all), effectively nullifying the purpose of SPF. Worse, these domains open the door for cybercriminals to hijack the trust inherent in these domains to send phishing links, malware-laden messages, and launch social engineering attacks. Two particularly notable examples were ubuntu.com and civilservice.gov.uk. Imagine how easy it would be to lure UK citizens interested in civil service jobs with an authenticated message from [email protected]. Or consider the message below, which I sent to myself using nothing more than telnet:
- 2,632 misspelled the ip4: mechanism either by omitting the “4” or by inserting a “v”.
DMARC: Visibility, Policy, and Gaps
DMARC builds upon SPF and DKIM to offer domain owners the ability to define how unauthenticated messages should be handled — and to receive reporting data on abuse attempts. It’s a vital control against phishing and brand impersonation, yet widespread adoption remains elusive.
DMARC Adoption Snapshot
From the dataset of 10 million domains:
- 1,816,866 (18.2%) had a valid DMARC record
- 1,061,585 (10.6%) had a record with a `p=none` policy, offering visibility but no enforcement
- 755,281(7.6%) implemented enforcement policies (`p=quarantine` or `p=reject`)
- 20,384 (0.2%) had malformed or incomplete DMARC entries
- 8,162,614 (81.6%) lacked a DMARC record entirely
Despite growing awareness, only 388,096 (3.9%) of the internet’s 10 million most popular domains enforce a reject policy including on subdomains, exposing the remaining domains to spoofing risks even when SPF and DKIM are configured.
Common DMARC Configuration Issues
For domains that published a DMARC record, the most common error was the omission of the mailto: before the rua and/or ruf reporting addresses. The second most common error was misplacement of the policy p= tag, which must occur immediately after the v=DMARC1; tag.
While not an error, 47.7% of domains with a valid DMARC record did not include a rua tag, meaning those domain owners are not receiving aggregate feedback to enable them to correct any SPF or DKIM configuration issues.
73% of domains with a valid DMARC record did not include a ruf tag, depriving the domain owner of forensic feedback reports. Forensic reports are helpful to diagnose SPF and DKIM misconfigurations and can also help the domain owner see attempts to hijack their domain in near real time.
DMARC Provider Correlation to Policy
DMARC records specify the domain owner’s policy for how they would like receivers to treat unauthenticated mail that uses their domain in the "From:" header. There are three DMARC policies:
- “None,” which indicates the domain owner would like no special treatment applied to messages which fail authentication.
- “Quarantine,” which indicates the domain owner would like unauthenticated mail from their domain placed in a quarantine such as a spam folder.
- “Reject,” which indicates the domain owner would like the receiving organization to block the message outright, typically by issuing a 550 error at the end of the DATA portion of the SMTP transaction.
Receivers may honor the domain owner’s wishes or may override the sender’s DMARC policy for a variety of reasons specific to the receiving organization.
For maximum security, domain owners should publish a DMARC reject policy. This is often a difficult task, as it requires the domain owner to ensure that all legitimate email from their domain is properly authenticated with SPF and/or DKIM. The complexities of identifying all third-party senders and then working with those senders to ensure they follow DMARC-compatible authentication practices have led many companies to work with third parties who specialize in DMARC implementation.
Our analysis of the top 10 million internet domains found that only 22.9% of domains who send their DMARC reporting data to themselves have a DMARC reject policy. 72.8% of domains whose DMARC records point to Fortra, publish DMARC reject policies. The chart below shows the policy breakdown for the major DMARC solution providers. The data suggests that working with a third-party vendor who specializes in DMARC implementations can increase the likelihood of achieving DMARC reject status.
Conclusions
This analysis of the DNS and email authentication configurations of the top 10 million internet domains reveals both encouraging trends and significant shortcomings in the global state of email security. While the adoption of foundational protocols like SPF and DMARC has increased in recent years, the data shows a concerning level of misconfiguration, underutilization, and overall neglect — leaving the majority of domains vulnerable to spoofing, phishing, and business email compromise.
While tools and standards exist to dramatically reduce spoofing and phishing risk, their protection is only as good as their implementation. The internet’s most visited domains include both shining examples of secure configuration and gaping vulnerabilities waiting to be exploited. Strengthening global email hygiene requires not only broader adoption of standards like SPF and DMARC, but also a concerted effort to ensure they are implemented correctly — and supported by the right infrastructure, partnerships, and oversight.
