Two months ago we measured the Internet's email-authentication layer directly — every _dmarc, _mta-sts, default._bimi and apex SPF record we could resolve — and found that of 150 million mail-capable domains, only 9% run a credible anti-spoofing stack. One month ago we measured a different layer of the same crawl, the MX record, and found that the most common answer to "who runs your email" is not Google or Microsoft but whoever sold you the domain. This post multiplies the two together, and the product is sharper than either factor.
The question it answers is the one neither census could answer alone: does email-authentication posture depend on who runs the mail? The conventional framing treats authentication as a property of the domain owner — a decision each organization makes, or fails to make, about whether to publish DMARC and turn it up to enforcement. The State of TXT census found that this decision tracks geography: the Netherlands, Germany and Switzerland enforce; Italy and Japan publish and then stall at p=none. But geography is a proxy for something more mechanical. A German plumber does not read RFC 7489 and resolve to enforce DMARC; he registers a domain at a German host and inherits whatever that host writes into the zone. If that is what is happening across the Internet, then the real unit of email security is not the country and not the domain — it is the provider.
In early 2024, those providers' defaults started to matter for everyone. Google and Yahoo's bulk-sender requirements, enforced from February 2024, told anyone sending more than 5,000 messages a day that they must publish SPF, DKIM, and a DMARC record of at least p=none or watch their mail be throttled and then rejected. That mandate created a floor — a reason to publish something — but it deliberately stopped at p=none, the policy that instructs receivers to do nothing. Whether a domain ever climbs from that floor to actual enforcement is left to whoever operates its mail. So we asked the records who that is.
We use the same 5 May 2026 full-corpus typed crawl as the State of TXT census, and join two layers at the registrable apex: the primary MX — the lowest-preference mail exchanger, classified to an operator with the same taxonomy as Who Runs the World's Email — and the email-authentication trio of DMARC, MTA-STS and BIMI, plus apex SPF. Every mail-capable apex casts one vote per signal, attributed to the operator of its mail. Russian-territorial TLDs are excluded throughout, per project policy.
The headline: the 9% credible-stack minority is not spread across the Internet — it clusters behind a handful of operators, and the gap between them is enormous. Security gateways and Microsoft 365 run the credible SPF-plus-enforced-DMARC stack on 18.9% and 17.5% of their domains; the four largest registrar-bundled hosts — IONOS, Hostinger, Namecheap, OVH, which between them run more mail-capable domains than Google — run it on under 1.2%. The single largest category of email on the Internet, registrar-bundled hosting with 46.7 million domains, stops spoofing on 3.5% of them, below the global average. The credible stack is not something most domains choose. It is something a few providers do on their customers' behalf, and most providers do not.
The Data
Every record in this study comes from the same 5 May 2026 full-corpus typed DNS pass as the State of TXT census, reduced to the registrable apex. We join, per apex, five independently queried signals.
| Record set | Query target | Result archives |
|---|---|---|
| MX | apex MX |
3,131 |
| SPF | apex TXT v=spf1 |
3,132 |
| DMARC | _dmarc.<apex> TXT v=DMARC1 |
3,132 |
| MTA-STS | _mta-sts.<apex> TXT v=STSv1 |
3,127 |
| BIMI | default._bimi.<apex> TXT v=BIMI1 |
3,130 |
The denominator is the mail-capable apex — a registrable domain whose own MX query returns at least one real, non-null mail exchanger — exactly as in both prior censuses. Of the apexes observed in this pass, 149,839,979 are mail-capable. That lands within 0.12% of the State of TXT count of 150,020,997 from the same crawl, and the global authentication rates reproduce it almost exactly: 71.5% publish SPF (State of TXT: 71.3%), 34.1% publish DMARC (34.1%), 11.6% enforce DMARC (11.7%), and 9.0% run the credible stack (9.0%). The two pipelines were written independently from the same definitions and agree to the second digit, which is the internal-consistency check that lets us trust the per-provider cut below. Each mail-capable apex contributes one vote per signal, attributed to the operator of its primary MX; a domain that cannot receive mail has no operator to attribute and is excluded.
Methodology
A study that claims provider X enforces and provider Y does not needs both halves — the provider attribution and the authentication test — defined exactly, because a single greedy substring or the wrong denominator moves a provider by millions of domains.
Mail-capable and primary provider. An apex is mail-capable if its MX query returns at least one exchanger that is not the RFC 7505 null target (.). The primary MX is the lowest-preference exchanger — the server mail is delivered to first — reduced to its registrable domain (alt1.aspmx.l.google.com → google.com) and classified with the same ordered CONTAINS-then-EXACT operator taxonomy as Who Runs the World's Email: nine categories spanning Google Workspace, Microsoft 365, other cloud suites, registrar/host-bundled, security gateways, regional operators, forwarders, parking, and broken. Provider domain counts here match that June census to within the one-month gap (Google 19.5M vs 20.0M, Microsoft 14.1M vs 14.2M, GoDaddy 9.4M vs 9.3M).
Provider attribution is first-hop, not mailbox. An MX names the front door, not the room behind it. Secure email gateways (Proofpoint, Mimecast, Barracuda) and registrar resellers (GoDaddy's secureserver.net) sit in front of Microsoft 365 or Google, so the operator we record is the gateway or reseller, and the true cloud-suite footprint is undercounted. We report the MX-visible operator and flag, in every section where it matters, where that operator hides a backend. This means the gateway enforcement numbers below should be read as "the posture of the kind of domain that sits behind a gateway," not as a security vendor's own product setting.
The four authentication signals — identical definitions to A State of TXT:
- SPF: an apex
TXTbeginningv=spf1. Strict = a terminal-all(hardfail); soft =~all; the rest neutral or pass-all. - DMARC: a
TXTat_dmarc.<apex>beginningv=DMARC1, organisational record only. Published = present; enforcing =p=quarantineorp=reject;p=noneenforces nothing. - MTA-STS: a
TXTat_mta-sts.<apex>beginningv=STSv1. This is the presence of the identity record — an upper bound; we do not fetch the HTTPS policy file it points to, so real transport enforcement is lower. - BIMI: a
TXTatdefault._bimi.<apex>beginningv=BIMI1; VMC-backed if it carries ana=certificate tag.
The two composite metrics.
- Credible stack = SPF present and DMARC enforcing. This is the State of TXT "minimum credible stack," 9.0% globally — the floor at which a domain actually resists spoofing, since SPF without an enforced DMARC policy advises receivers and instructs them to do nothing.
- Transport-hardened = strict SPF (
-all) and DMARCp=rejectand an MTA-STS record. The elite tier.
Known limitations. Records can be stale, and a published record need not be used, so every rate here is an upper bound on real behaviour. Provider defaults mean a high provider rate can reflect the operator's boilerplate rather than any customer decision — but that is the finding, not a confound: the entire question is whether posture is inherited. This is a single snapshot; SPF and MX have a fifteen-month history in the archive, but the DMARC/MTA-STS/BIMI trio was captured only in the May 2026 pass, so no enforcement trend is claimed. MTA-STS is an identity-record upper bound; DKIM is unobservable from DNS alone because its selectors are unpredictable. Russian-territorial TLDs are excluded throughout.
Reproducibility. The extractor (a Go per-apex emitter) and the streaming join/classifier (Python over an apex-sorted stream) are the same two-stage design as the published MX and TXT censuses; the provider taxonomy and authentication definitions are copied verbatim from them. Benchmark your own apexes against the dataset.
The Scorecard
The global stack is the State of TXT funnel, restated as the denominator for everything that follows.
| Signal | Mail-capable apexes | Share |
|---|---|---|
| SPF published | 107,089,227 | 71.47% |
SPF -all (strict) |
32,699,829 | 21.82% |
| DMARC published | 51,082,382 | 34.09% |
| DMARC enforced (quarantine + reject) | 17,417,434 | 11.62% |
DMARC p=reject |
9,220,237 | 6.15% |
| Credible stack (SPF + enforced DMARC) | 13,421,258 | 8.96% |
| MTA-STS record | 215,963 | 0.14% |
| BIMI record | 125,982 | 0.08% |
Transport-hardened (SPF -all + reject + MTA-STS) |
49,750 | 0.03% |
Now the same stack, cut by who runs the mail. These are the operators that carry the most mail-capable domains, with the share of each that publishes SPF, publishes and enforces DMARC, and clears the credible-stack bar.
| Operator | Mail-capable | SPF | DMARC | DMARC enf | credible | Category |
|---|---|---|---|---|---|---|
| Google Workspace | 19,540,248 | 65.2% | 29.6% | 11.6% | 10.1% | cloud suite |
| Microsoft 365 | 14,053,975 | 90.8% | 35.2% | 19.0% | 17.5% | cloud suite |
| GoDaddy | 9,362,439 | 11.6% | 7.8% | 6.7% | 6.0% | host-bundled |
| IONOS | 6,415,970 | 89.8% | 89.8% | 0.9% | 0.9% | host-bundled |
| Namecheap | 6,251,851 | 91.8% | 1.0% | 0.2% | 0.2% | host-bundled |
| Hostinger | 4,226,377 | 90.3% | 81.2% | 0.9% | 0.8% | host-bundled |
| OVH | 2,899,490 | 67.9% | 6.4% | 1.3% | 1.2% | host-bundled |
| Strato | 2,756,978 | 5.1% | 94.4% | 93.3% | 4.2% | host-bundled |
| Zoho | 1,856,802 | 84.8% | 32.3% | 11.1% | 10.0% | cloud suite |
| Cloudflare Email Routing | 1,671,438 | 91.0% | 26.8% | 8.9% | 8.2% | forwarder |
| Proofpoint | 1,081,898 | 90.7% | 39.2% | 24.4% | 22.3% | gateway |
The spread between providers is larger than the spread between countries. The State of TXT census found national enforcement ranging from the low single digits to the high thirties; here, the credible-stack rate runs from Microsoft's 17.5% and Proofpoint's 22.3% down to Namecheap's 0.2% — a roughly hundredfold gap between two operators that each run millions of domains. The four largest registrar-bundled hosts (IONOS, Hostinger, Namecheap, OVH) together carry 19.8 million mail-capable domains — more than Google Workspace's 19.5 million — and not one of them clears 1.2% on the credible stack. Whatever determines whether a domain resists spoofing, it is doing its work upstream of the domain owner, at the provider.
This also resolves a discrepancy with the commercial DMARC trackers. Valimail's 2026 State of DMARC reports enforcement at 42% — but of DMARC-publishing domains in a monitored, enterprise-skewed panel, where it grew from 35% over 2025. Our full-corpus figure for the same ratio is lower (34% of DMARC adopters enforce), and the provider cut shows exactly why a panel reads higher: enterprise panels over-weight Microsoft, gateways and managed suites, which run the credible stack at 15–19%, and under-weight the registrar-bundled hosting that runs it at 3.5% and dominates the real population. The "state of DMARC" depends entirely on which providers' domains you sampled.
Email Security Is Inherited, Not Chosen
Roll the operators up into their nine categories and the inheritance becomes the whole picture.
| Category | Mail-capable | SPF | DMARC | DMARC enf | credible |
|---|---|---|---|---|---|
| Security gateways | 2,623,560 | 72.9% | 35.8% | 22.2% | 18.9% |
| Microsoft 365 | 14,053,975 | 90.8% | 35.2% | 19.0% | 17.5% |
| Forwarders / routing | 2,888,454 | 87.5% | 33.0% | 17.9% | 16.3% |
| Other cloud suites | 3,380,788 | 82.3% | 36.1% | 16.2% | 14.7% |
| Google Workspace | 19,540,248 | 65.2% | 29.6% | 11.6% | 10.1% |
| Regional (Asia / East) | 1,790,071 | 70.3% | 19.1% | 7.2% | 6.4% |
| Registrar / host-bundled | 46,660,491 | 62.0% | 38.7% | 9.2% | 3.5% |
| Parking / for-sale | 1,306,663 | 82.1% | 1.3% | 1.0% | 0.8% |
| Broken / non-deliverable | 2,215,488 | 85.9% | 0.4% | 0.2% | 0.04% |
The largest category of email on the Internet is the second-least protected. Registrar- and host-bundled email serves 46.7 million mail-capable domains — more than Google Workspace and Microsoft 365 combined — and clears the credible-stack bar on 3.5% of them, well under half the 9.0% global average and a fifth of Microsoft's rate. Because this category is so much larger than the others, it drags the global number down single-handedly: the Internet's mediocre 9% is not a uniform mediocrity but a weighted average of a protected minority of suite-and-gateway domains and an enormous, near-unprotected base of bundled hosting.
The category order is almost the inverse of the volume order, and that is the inheritance signal. The best-protected categories — gateways, Microsoft, forwarders, other suites — are the smallest, and they are the ones a customer actively chooses and configures: you do not end up behind Proofpoint by accident. The worst-protected and largest category is the one that arrives switched on with a hosting plan nobody evaluated for security. Posture rises exactly where the owner made a deliberate choice and collapses exactly where the provider's default was the only decision made. Email security, across the bulk of the Internet, is a property of the box your domain shipped in.
The Floor-Lifters: Publishing DMARC and Enforcing Nothing
The registrar-bundled category's 3.5% hides a more specific and stranger mechanism, visible only when you separate publishing DMARC from enforcing it.
| Operator | DMARC published | DMARC enforced | Enforced ÷ published | Apex SPF |
|---|---|---|---|---|
| IONOS | 89.8% | 0.9% | 1.1% | 89.8% |
| Hostinger | 81.2% | 0.9% | 1.1% | 90.3% |
| SiteGround | 92.7% | 1.5% | 1.6% | 91.0% |
| Strato | 94.4% | 93.3% | 98.8% | 5.1% |
| Microsoft 365 | 35.2% | 19.0% | 54.1% | 90.8% |
| Google Workspace | 29.6% | 11.6% | 39.3% | 65.2% |
| Namecheap | 1.0% | 0.2% | 22.3% | 91.8% |
| GoDaddy | 7.8% | 6.7% | 85.9% | 11.6% |
IONOS, Hostinger and SiteGround publish DMARC on 80–93% of their domains and enforce it on about 1% of them. This is the Google/Yahoo mandate rendered as provider boilerplate: a host that wants its customers' mail to keep reaching Gmail switches on SPF and a p=none DMARC record across its entire base, clears the deliverability gate, and stops. The record exists, the compliance box is ticked, and the policy instructs receivers to take no action against a forgery. The gray tail in the chart above — the gap between published and enforced — is that decision, made once by a provider and inherited by millions of domains whose owners never saw it.
Strato is the one registrar that defaults the other way, and it proves the mechanism by inverting it. Strato publishes DMARC on 94% of its domains and enforces on 93% — p=reject, the strictest policy, set by default across its base. No customer of Strato chose p=reject any more than a customer of IONOS chose p=none; both inherited a provider's house style. The contrast is the cleanest natural experiment in the dataset: two German registrar-bundled hosts of similar scale, one defaulting its customers into enforcement and the other into permanent advisory mode, with the customers none the wiser in either direction. (Strato's credible-stack rate is still only 4.2%, because it pairs its aggressive DMARC default with apex SPF on just 5% of domains — enforcement without SPF is a policy with little left to enforce, a reminder that no single default substitutes for the whole stack.)
Namecheap and GoDaddy lift no floor at all, in opposite ways. Namecheap publishes SPF on 92% of its domains but DMARC on just 1% — the SPF default is on, the DMARC default is off, so its customers advertise their senders and then publish nothing that tells a receiver what to do about an impostor. GoDaddy is the rarer case of a host whose apex SPF default is largely absent (11.6%); the 9.4 million domains it fronts on secureserver.net mostly carry no apex v=spf1 record at all, which caps its credible stack at 6.0% regardless of DMARC. Three of the largest hosts on the Internet, three different broken defaults, and in every case the customer's posture was set the day they bought the domain.
The Managed Premium: Where Enforcement Is a Decision
At the other end sit the operators whose customers came for the mail, not the bundle, and the numbers rise accordingly.
Microsoft 365 outperforms Google Workspace on every enforcement metric, and the gap is real even after the undercount. Microsoft's domains run the credible stack at 17.5% to Google's 10.1%, publish SPF at 90.8% to 65.2%, and enforce DMARC at 19.0% to 11.6%. Some of Google's lower SPF rate is structural — a large share of Workspace domains are small businesses and side projects that configured the MX from a registrar wizard and never added the SPF record — and Microsoft's number is flattered by the enterprise tenants that dominate its base. But the direction is consistent across all four metrics and survives the gateway-and-reseller undercount that hides much of Microsoft's true footprint: the slice of Microsoft we can see is the better-authenticated of the two cloud giants.
Security gateways top the table because a gateway is a posture, not a product. The 18.9% credible rate for the gateway category — Proofpoint alone at 22.3% — is not a setting Proofpoint ships; it is the authentication posture of the kind of organization that buys a secure email gateway in the first place. A domain behind Proofpoint or Mimecast belongs to a security team that has already decided email is a threat surface, and that decision shows up in the DMARC record as surely as in the gateway contract. The gateway is the most reliable single predictor of enforcement in the dataset precisely because it is downstream of an intent the DMARC record cannot otherwise reveal.
The privacy suites are the quiet leaders, and they default their customers into protection. Proton Mail runs the credible stack on 57.7% of its domains and Infomaniak on 47.4% — multiples of any volume provider — because, like Strato, they configure enforcement as the house default, but unlike Strato they pair it with SPF. The pattern that runs through every standout is the same: high posture is either chosen by a security-conscious customer or defaulted by a security-conscious provider, and the two are indistinguishable in the records. What never produces high posture is the absence of a decision.
The Transport Tier Is Empty Behind Every Door
One layer of the stack is missing almost everywhere, regardless of provider.
| Category | MTA-STS | BIMI | Transport-hardened |
|---|---|---|---|
| Security gateways | 0.45% | 0.19% | highest, still rounding error |
| Microsoft 365 | 0.29% | 0.16% | — |
| Google Workspace | 0.15% | 0.17% | — |
| Registrar / host-bundled | 0.01% | 0.02% | ~0 |
| Parking / broken | 0.00% | 0.00% | 0 |
| Global | 0.14% | 0.08% | 0.03% |
MTA-STS and BIMI are absent behind every provider, not just the weak ones. The transport-hardened tier — strict SPF, p=reject, and an MTA-STS policy together — is run by 49,750 domains on the entire Internet, 0.03% of the mail-capable population, and even the best category, security gateways at 0.45% MTA-STS, is three full orders of magnitude below its own credible-stack rate. This is the one finding the provider lens does not explain away: enforcement of the SPF-and-DMARC layer is inherited and varies wildly by operator, but the transport layer is uniformly empty. Both the floor-lifting registrars and the managed-premium suites skip it. The reason is mechanical — MTA-STS requires publishing and maintaining an HTTPS policy file, not a one-line DNS default, so it is the one signal a provider cannot switch on with a wildcard — and it marks the boundary of what default-driven security can currently reach.
What's at Stake
- "Adopt DMARC" advice aimed at domain owners is aimed at the wrong layer. For the 46.7 million domains on registrar-bundled mail, whether the domain enforces was decided by the host's default, not the owner's awareness. Campaigns that tell small businesses to publish DMARC are asking them to override a provider default most of them cannot see and would not know how to change.
- A single provider's default-policy change would move the global number more than a decade of owner education. If IONOS, Hostinger and SiteGround shipped
p=quarantineinstead ofp=nonethe way Strato shipsp=reject, tens of millions of domains would cross into enforcement overnight — and conversely, the Internet's enforcement rate is hostage to a handful of product decisions at a handful of hosts. - Enterprise DMARC panels systematically overstate the Internet's protection. Trackers that sample monitored or business-tracked domains report enforcement around 42% because their sample is rich in the suite-and-gateway domains that enforce and poor in the registrar-bundled domains that do not. The real population number is 11.6%, and the difference is selection, not measurement.
- Boilerplate enforcement can be theater. Strato's 93%
p=rejectdefault sits on top of 5% apex SPF, so most of those reject policies have little aligned authentication to enforce. A high enforcement rate is not the same as a credible stack, and a provider default can produce the former without the latter. - The transport layer is a universal blind spot, not a long-tail problem. MTA-STS at 0.14% and the transport-hardened tier at 0.03% are not dragged down by parked domains; they are near-zero behind Microsoft, Google and the gateways too. The most security-conscious operators on the Internet have not closed the SMTP-downgrade gap, because it is the one part of the stack a default cannot fix.
What Would Help
- Hosting providers: your default policy is the Internet's policy. The single highest-leverage email-security action available to anyone is a registrar changing its shipped DMARC default from
p=nonetoward enforcement — paired with apex SPF so the policy has something to act on. Strato and the privacy suites show it is operationally feasible at scale; IONOS, Hostinger and SiteGround already publish the record on 80–93% of domains and need only turn up the policy. Benchmark your own base against the dataset. - Domain owners on bundled hosting: check what your provider set, because you have one. Query
_dmarc.yourdomainand your apexTXT. If the DMARC policy readsp=noneor the SPF record is missing, your host made a choice you can override in minutes — and if you are on Strato or a privacy suite, confirm the aggressive default actually aligns with how you send. Cross-reference the State of TXT definitions for what each value means. - Security teams and analysts: report enforcement against a denominator, and name the provider mix. "DMARC enforcement is at 42%" and "DMARC enforcement is at 11.6%" are both true, of an enterprise panel and of the whole Internet respectively. Any figure that does not state which providers' domains it sampled is unfalsifiable; segment by operator the way this census does and the contradiction dissolves.
- Receivers and standards bodies: make
p=noneboilerplate harder to leave in place. The Google/Yahoo mandate succeeded in driving publication and stopped at the floor. The next increment of safety is a graduated expectation — escalating fromp=nonetoward enforcement on a published timeline — that pushes providers' defaults up the way the original mandate pushed publication up. - Everyone: treat MTA-STS as the next frontier, because no default will reach it for you. The transport-hardened tier is empty behind every provider precisely because MTA-STS cannot be switched on with a wildcard DNS record. Hosts that automate the HTTPS policy file for their customers, and large senders that publish it for themselves, are the only path off 0.03% — and it is wide open, since no operator has yet claimed it. Track the per-signal rates on the statistics dashboard.
Methodology: 149,839,979 mail-capable apex domains from a DomainsProject full-corpus typed DNS crawl dated 5 May 2026 — the same pass as A State of TXT — joined at the registrable apex across five independently queried signals (MX, apex SPF, _dmarc, _mta-sts, default._bimi) via ICANN public-suffix rules. Each mail-capable apex is attributed to the operator of its lowest-preference MX and classified with the same heuristic taxonomy as Who Runs the World's Email; 63% of mail-capable apexes resolve to a named operator and the unclassified remainder, predominantly small regional hosts, is reported separately. Authentication definitions are identical to A State of TXT: SPF terminal-qualifier, organisational _dmarc with p= enforcement, MTA-STS identity record as an upper bound, BIMI with optional VMC. The global rates reproduce that census to within 0.2 points, the internal-consistency check for the per-provider cut. Provider attribution is first-hop, so secure-email-gateway and reseller layers undercount the cloud suites; the gateway category reflects the posture of gateway-using organizations, not a vendor setting. Enforcement is a property of provider defaults and customer choices that cannot be separated in DNS records, and is reported as such. This is a single snapshot; no enforcement trend is claimed. External triangulation from Google and Yahoo's 2024 bulk-sender requirements and Valimail's 2026 State of DMARC report. Russian-administered TLDs excluded throughout. Companion measurements of the same corpus appear in A State of TXT, Who Runs the World's Email, and Who Runs the World's DNS. Explore the full dataset at /dataset and per-TLD statistics at /stats/.