Here's a stat that should bother you: 66% of all domains we've analyzed have no DMARC record. Zero. Nothing. That means anyone with basic technical knowledge can send emails that appear to come from two-thirds of all websites on the internet. Your bank might have DMARC. Google definitely does. But the company you just bought something from online? Probably not.
We pulled SPF and DMARC data from our database of 760,000+ domains. The picture isn't pretty. Email authentication — the system that's supposed to prevent phishing and spoofing — is missing from the majority of the web. And most site owners don't even know it.
Email authentication adoption across 760,000+ analyzed domains
Before we get into the numbers, a quick primer. Email was designed in the 1970s. Back then, trust was the default — nobody imagined someone would pretend to be someone else in an email. The "From" address in an email is basically an honor system. Anyone can put anything there.
SPF (Sender Policy Framework) is a DNS record that says "only these specific mail servers are authorized to send email from my domain." When a mail server receives an email claiming to be from your domain, it checks this record. If the sending server isn't on the list, the email is flagged as suspicious.
DMARC (Domain-based Message Authentication, Reporting & Conformance) goes further. It tells receiving mail servers what to do when an email fails SPF (or DKIM) checks — reject it, quarantine it, or just monitor it. DMARC also provides a reporting mechanism so domain owners can see who's trying to send email as them.
Without these records, your domain is an open invitation for spoofing. Anyone can send an email that looks like it's from your company, and receiving mail servers have no way to verify otherwise.
Let's break down what we found across 760,000+ domains:
That last point is worth emphasizing. A DMARC record set to "p=none" is better than nothing — you at least get reports — but it doesn't actually prevent spoofing. The email still gets delivered. Only "p=quarantine" or "p=reject" policies actively protect against impersonation. When you factor that in, maybe 15-18% of all websites have genuinely effective email protection.
Without SPF and DMARC, a scammer can send emails that appear to come from your domain. Your customers receive what looks like a legitimate invoice, password reset, or shipping notification — but it's actually a phishing attack. And you'd never know it's happening.
We compared SPF and DMARC adoption across the top countries in our database:
The pattern is consistent with what we see for other security metrics by country: European countries with strong data protection regulations lead, North America is average, and adoption drops in regions with less regulatory pressure.
How much do SPF and DMARC affect a site's overall trust score? Quite a bit, actually.
Sites with both SPF and DMARC average a trust score of 72. Sites with SPF but no DMARC average 64. Sites with neither average 54. That's an 18-point spread between the best and worst configurations.
This makes sense when you think about what email authentication signals. It means someone is actively managing the domain's DNS. They understand email infrastructure. They're thinking about security beyond just "has the site got a padlock?" These are the same people who configure security headers, use HTTPS, and keep their software updated.
Want to see how a specific domain handles email authentication? Run any domain through Bitverzo and look at the DNS & Domain section. We check SPF, DMARC, and other DNS records automatically.
Average trust score: sites with both SPF + DMARC vs. sites with neither
I've talked to a lot of site owners about this, and the reasons fall into a few categories:
"I didn't know it existed." This is the most common response. Most people who register a domain and build a website have never heard of SPF or DMARC. Their hosting provider set up their email, it works, and they never thought about authentication. It's a knowledge gap, not laziness.
"I don't send email from my domain." Some site owners think that if they don't send email, they don't need SPF or DMARC. The opposite is true. If you don't send email from your domain, you should publish a DMARC record with "p=reject" — telling the world that any email claiming to come from your domain is fake.
"It's too complicated." SPF and DMARC records are DNS TXT records with specific syntax. If you've never edited DNS records, they look intimidating. But they're really not. A basic SPF record is one line. A basic DMARC record is one line. It takes 10 minutes.
"My email works fine without it." It does — for sending. The problem is on the receiving end. Without these records, your domain can be impersonated, and there's nothing you or the receiving mail server can do to stop it. Your email works fine; it's everyone else's inbox that's at risk.
Email spoofing isn't a theoretical problem. It's one of the primary tools in phishing attacks, and phishing remains the number one vector for cyberattacks. Here's what happens when a domain lacks SPF and DMARC:
If your domain had DMARC with "p=reject," step 3 would be "email is rejected and never reaches the recipient." That's it. One DNS record. Problem solved.
If your domain doesn't have these records, here's exactly what to add. This takes about 10 minutes through your DNS provider (wherever you manage your domain's nameservers).
Create a TXT record for your domain with a value like:
v=spf1 include:_spf.google.com ~all
Replace the "include" part with your email provider's SPF include. If you use Google Workspace, it's _spf.google.com. If you use Microsoft 365, it's spf.protection.outlook.com. If you use Zoho, it's zoho.com. Your email provider's documentation will have the exact value.
If you don't send email from your domain at all, use: v=spf1 -all
Create a TXT record for _dmarc.yourdomain.com with:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com
Start with "p=quarantine" to catch spoofed emails without immediately rejecting them. Once you've confirmed everything works correctly (check the reports sent to the rua address), upgrade to "p=reject" for maximum protection.
If you're nervous about blocking legitimate email, start with p=none and monitor the DMARC reports for a few weeks. This won't block anything but will show you who's sending email as your domain. Once you're confident your legitimate email sources are covered by your SPF record, move to p=quarantine and eventually p=reject.
Sites using modern technology stacks tend to have better email authentication. Cloudflare users, for example, have higher DMARC adoption (41%) compared to the 34% average — probably because Cloudflare's DNS management makes it easy to add records. Sites using Google Analytics 4 also show higher email authentication rates (39% DMARC), likely because they're also using Google Workspace for email, which pushes SPF and DMARC configuration.
WordPress sites have below-average email authentication (29% DMARC), which aligns with our broader WordPress security findings. Many WordPress site owners manage their site through a hosting panel and never touch DNS settings directly.
If you're not a site owner — if you're just someone who receives email — here's the takeaway: you can't trust the "From" address in most emails. Two-thirds of all domains provide no mechanism to verify email authenticity. Phishing emails that appear to come from legitimate companies can sail right into your inbox without any technical barrier.
The best defense is skepticism. Don't click links in unexpected emails. Don't open attachments from companies you weren't expecting to hear from. And if an email asks you to "verify your account" or "update your payment information," go directly to the company's website by typing the URL — don't follow the email link.
You can check any domain's email security posture on Bitverzo. If a company doesn't have SPF and DMARC configured, be extra cautious about emails that claim to come from them.
Instantly see SPF, DMARC, trust score, and full security analysis for any website or domain.
Analyze a Domain Free →SPF (Sender Policy Framework) is a DNS record specifying which mail servers can send email for your domain. DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to tell receiving servers what to do with emails that fail authentication. Together, they prevent email spoofing and phishing.
Based on Bitverzo's analysis of 760,000+ domains, 55% have SPF records and only 34% have DMARC records. That means 66% of all websites have no DMARC protection against email spoofing. Only about 28% have both SPF and DMARC properly configured.
The easiest way is to use Bitverzo's free domain analysis — enter any domain and look at the DNS & Domain section for SPF and DMARC records. You can also check manually using command-line tools: dig TXT example.com for SPF and dig TXT _dmarc.example.com for DMARC.
Data in this article is based on Bitverzo's analysis of 760,000+ domains as of July 2026. SPF and DMARC detection is based on DNS TXT record lookups. View technology trends or see the top-rated websites.