Your Mailbox Provider Is Your Security Policy: Email Authentication, Re-Cut by Who Runs the Mail
We crossed two full-corpus DNS censuses of the same May 2026 crawl — the MX layer that names who runs each domain's mail, and the SPF/DMARC/MTA-STS/BIMI layer that says whether that mail is authenticated. Across 149.8 million mail-capable apex domains, email-authentication posture turns out to be inherited from the provider, not chosen by the owner: security gateways and Microsoft 365 run the credible anti-spoofing stack on 17–19% of their domains, while the four largest registrar-bundled hosts — IONOS, Hostinger, Namecheap, OVH — run it on under 1.2%, and the largest email category on the Internet stops spoofing on just 3.5% of its 46.7 million domains. The 9% that actually resist spoofing are not spread across the Internet; they cluster behind a handful of operators.