A State of TXT: 150 Million Mail Domains, and Why Only 9% Actually Stop Spoofing
We queried the email-authentication TXT layer directly — _dmarc, _mta-sts, default._bimi, and apex SPF — across a May 2026 DNS crawl, using MX records as the denominator. Of 150,020,997 mail-capable apex domains, 71.3% publish SPF, 34.1% publish DMARC, but only 11.7% enforce DMARC and just 9.0% run the minimum credible SPF-plus-enforced-DMARC stack. Two-thirds of DMARC records sit at p=none. MTA-STS reaches 0.144% and BIMI 0.084%. And 45.7% of all DMARC reports flow to a single registrar's default configuration. This is the state of email authentication, measured from the records themselves.