Why 66% of Websites Fail Basic Email Security

By Bitverzo Research Team · July 6, 2026 · 9 min read · Based on analysis of 760,000+ websites

Here's a stat that should bother you: 66% of all domains we've analyzed have no DMARC record. Zero. Nothing. That means anyone with basic technical knowledge can send emails that appear to come from two-thirds of all websites on the internet. Your bank might have DMARC. Google definitely does. But the company you just bought something from online? Probably not.

We pulled SPF and DMARC data from our database of 760,000+ domains. The picture isn't pretty. Email authentication — the system that's supposed to prevent phishing and spoofing — is missing from the majority of the web. And most site owners don't even know it.

55% SPF · 34% DMARC

Email authentication adoption across 760,000+ analyzed domains

What SPF and DMARC Actually Do

Before we get into the numbers, a quick primer. Email was designed in the 1970s. Back then, trust was the default — nobody imagined someone would pretend to be someone else in an email. The "From" address in an email is basically an honor system. Anyone can put anything there.

SPF (Sender Policy Framework) is a DNS record that says "only these specific mail servers are authorized to send email from my domain." When a mail server receives an email claiming to be from your domain, it checks this record. If the sending server isn't on the list, the email is flagged as suspicious.

DMARC (Domain-based Message Authentication, Reporting & Conformance) goes further. It tells receiving mail servers what to do when an email fails SPF (or DKIM) checks — reject it, quarantine it, or just monitor it. DMARC also provides a reporting mechanism so domain owners can see who's trying to send email as them.

Without these records, your domain is an open invitation for spoofing. Anyone can send an email that looks like it's from your company, and receiving mail servers have no way to verify otherwise.

The Numbers Tell a Disturbing Story

Let's break down what we found across 760,000+ domains:

That last point is worth emphasizing. A DMARC record set to "p=none" is better than nothing — you at least get reports — but it doesn't actually prevent spoofing. The email still gets delivered. Only "p=quarantine" or "p=reject" policies actively protect against impersonation. When you factor that in, maybe 15-18% of all websites have genuinely effective email protection.

🚩 The Spoofing Risk

Without SPF and DMARC, a scammer can send emails that appear to come from your domain. Your customers receive what looks like a legitimate invoice, password reset, or shipping notification — but it's actually a phishing attack. And you'd never know it's happening.

Email Security by Country

We compared SPF and DMARC adoption across the top countries in our database:

The pattern is consistent with what we see for other security metrics by country: European countries with strong data protection regulations lead, North America is average, and adoption drops in regions with less regulatory pressure.

Email Security and Trust Scores

How much do SPF and DMARC affect a site's overall trust score? Quite a bit, actually.

Sites with both SPF and DMARC average a trust score of 72. Sites with SPF but no DMARC average 64. Sites with neither average 54. That's an 18-point spread between the best and worst configurations.

This makes sense when you think about what email authentication signals. It means someone is actively managing the domain's DNS. They understand email infrastructure. They're thinking about security beyond just "has the site got a padlock?" These are the same people who configure security headers, use HTTPS, and keep their software updated.

Want to see how a specific domain handles email authentication? Run any domain through Bitverzo and look at the DNS & Domain section. We check SPF, DMARC, and other DNS records automatically.

72 vs 54

Average trust score: sites with both SPF + DMARC vs. sites with neither

Why So Many Sites Don't Have Email Authentication

I've talked to a lot of site owners about this, and the reasons fall into a few categories:

"I didn't know it existed." This is the most common response. Most people who register a domain and build a website have never heard of SPF or DMARC. Their hosting provider set up their email, it works, and they never thought about authentication. It's a knowledge gap, not laziness.

"I don't send email from my domain." Some site owners think that if they don't send email, they don't need SPF or DMARC. The opposite is true. If you don't send email from your domain, you should publish a DMARC record with "p=reject" — telling the world that any email claiming to come from your domain is fake.

"It's too complicated." SPF and DMARC records are DNS TXT records with specific syntax. If you've never edited DNS records, they look intimidating. But they're really not. A basic SPF record is one line. A basic DMARC record is one line. It takes 10 minutes.

"My email works fine without it." It does — for sending. The problem is on the receiving end. Without these records, your domain can be impersonated, and there's nothing you or the receiving mail server can do to stop it. Your email works fine; it's everyone else's inbox that's at risk.

The Real-World Impact of Missing Email Authentication

Email spoofing isn't a theoretical problem. It's one of the primary tools in phishing attacks, and phishing remains the number one vector for cyberattacks. Here's what happens when a domain lacks SPF and DMARC:

  1. Attacker sends a phishing email that appears to come from your domain
  2. Receiving mail server checks for SPF/DMARC — finds nothing
  3. Email is delivered to the recipient's inbox (not spam, not quarantine — inbox)
  4. Recipient sees a legitimate-looking email from a real domain they recognize
  5. Recipient clicks a malicious link or opens a malicious attachment

If your domain had DMARC with "p=reject," step 3 would be "email is rejected and never reaches the recipient." That's it. One DNS record. Problem solved.

How to Set Up SPF and DMARC

If your domain doesn't have these records, here's exactly what to add. This takes about 10 minutes through your DNS provider (wherever you manage your domain's nameservers).

Step 1: Add an SPF Record

Create a TXT record for your domain with a value like:

v=spf1 include:_spf.google.com ~all

Replace the "include" part with your email provider's SPF include. If you use Google Workspace, it's _spf.google.com. If you use Microsoft 365, it's spf.protection.outlook.com. If you use Zoho, it's zoho.com. Your email provider's documentation will have the exact value.

If you don't send email from your domain at all, use: v=spf1 -all

Step 2: Add a DMARC Record

Create a TXT record for _dmarc.yourdomain.com with:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com

Start with "p=quarantine" to catch spoofed emails without immediately rejecting them. Once you've confirmed everything works correctly (check the reports sent to the rua address), upgrade to "p=reject" for maximum protection.

✅ Start With Monitoring

If you're nervous about blocking legitimate email, start with p=none and monitor the DMARC reports for a few weeks. This won't block anything but will show you who's sending email as your domain. Once you're confident your legitimate email sources are covered by your SPF record, move to p=quarantine and eventually p=reject.

Email Security by Technology Stack

Sites using modern technology stacks tend to have better email authentication. Cloudflare users, for example, have higher DMARC adoption (41%) compared to the 34% average — probably because Cloudflare's DNS management makes it easy to add records. Sites using Google Analytics 4 also show higher email authentication rates (39% DMARC), likely because they're also using Google Workspace for email, which pushes SPF and DMARC configuration.

WordPress sites have below-average email authentication (29% DMARC), which aligns with our broader WordPress security findings. Many WordPress site owners manage their site through a hosting panel and never touch DNS settings directly.

What This Means for Regular People

If you're not a site owner — if you're just someone who receives email — here's the takeaway: you can't trust the "From" address in most emails. Two-thirds of all domains provide no mechanism to verify email authenticity. Phishing emails that appear to come from legitimate companies can sail right into your inbox without any technical barrier.

The best defense is skepticism. Don't click links in unexpected emails. Don't open attachments from companies you weren't expecting to hear from. And if an email asks you to "verify your account" or "update your payment information," go directly to the company's website by typing the URL — don't follow the email link.

You can check any domain's email security posture on Bitverzo. If a company doesn't have SPF and DMARC configured, be extra cautious about emails that claim to come from them.

Check Any Domain's Email Security

Instantly see SPF, DMARC, trust score, and full security analysis for any website or domain.

Analyze a Domain Free →

Frequently Asked Questions

What are SPF and DMARC records?

SPF (Sender Policy Framework) is a DNS record specifying which mail servers can send email for your domain. DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to tell receiving servers what to do with emails that fail authentication. Together, they prevent email spoofing and phishing.

What percentage of websites have SPF and DMARC configured?

Based on Bitverzo's analysis of 760,000+ domains, 55% have SPF records and only 34% have DMARC records. That means 66% of all websites have no DMARC protection against email spoofing. Only about 28% have both SPF and DMARC properly configured.

How do I check if a website has SPF and DMARC?

The easiest way is to use Bitverzo's free domain analysis — enter any domain and look at the DNS & Domain section for SPF and DMARC records. You can also check manually using command-line tools: dig TXT example.com for SPF and dig TXT _dmarc.example.com for DMARC.

Data in this article is based on Bitverzo's analysis of 760,000+ domains as of July 2026. SPF and DMARC detection is based on DNS TXT record lookups. View technology trends or see the top-rated websites.