May 29, 2026
18 min read
We queried the email-authentication TXT layer directly — _dmarc, _mta-sts, default._bimi, and apex SPF — across a May 2026 DNS crawl, using MX records as the denominator. Of 150,020,997 mail-capable apex domains, 71.3% publish SPF, 34.1% publish DMARC, but only 11.7% enforce DMARC and just 9.0% run the minimum credible SPF-plus-enforced-DMARC stack. Two-thirds of DMARC records sit at p=none. MTA-STS reaches 0.144% and BIMI 0.084%. And 45.7% of all DMARC reports flow to a single registrar's default configuration. This is the state of email authentication, measured from the records themselves.
May 02, 2026
21 min read
We classified every TXT record from a 17 April 2026 DNS crawl — 840 GB of raw JSONL (56 GB after xz compression) — and built a vendor census from the verification tokens domains leak into DNS. 40.2 million unique apexes carry at least one tracked SaaS verification token. Google's 26.0 million-apex footprint is 3.4x Microsoft 365's 7.6 million. Domain marketplaces (AfterNic + dan.com + 4.cn + Aliyun + west.cn + 17ex + Sedo + DomainEasy) collectively touch 5.0 million apexes — more than Atlassian, Stripe, Adobe, Apple, and DocuSign verification tokens combined. Zoho's 1.23 million is the single largest non-Google, non-Microsoft SaaS verification footprint we measure. The TXT layer is the closest thing the public Internet has to a SaaS census.