We put the top 100 domains under the microscope. Here's what we found.

In 2012, a small group of engineers from Google, Microsoft, Yahoo, and PayPal sat in a room with a shared frustration: email was broken. Despite years of work on SPF and DKIM, phishing attacks kept slipping through. The protocols worked in isolation, but nobody had connected the dots. That meeting gave birth to DMARC.

Twelve years later, I found myself staring at a similar question.

We built DMARCTrust to help businesses protect their email, but I kept wondering: how are the giants doing? The companies that send billions of emails, that have security teams larger than most startups, that should have figured this out years ago. Are they actually walking the walk?

So we built something to find out.

Our real-time DMARC index

Today, we’re launching our Real-Time DMARC State of Top 100 Domains, a live dashboard tracking email authentication across the world’s most popular websites.

We pull from Cloudflare Radar’s domain rankings (the same data that powers their 1.1.1.1 resolver insights) and check every domain’s DMARC, SPF, and BIMI records daily.

The results? Eye-opening.

The good news first

Let’s start with what’s working. The majority of top domains now have DMARC records in place. That’s a massive shift from even five years ago.

The 2024 mandates from Google and Yahoo, which require DMARC for bulk senders, clearly moved the needle.

We’re also seeing more domains at p=reject, the strictest enforcement level that tells receiving servers to flat-out refuse unauthenticated emails. This is the gold standard. It means those brands are serious about preventing spoofing.

What keeps me up at night

For every domain running p=reject, there are others still stuck at p=none. Monitor mode.

The “I’ll get to it eventually” setting.

Here’s the thing about p=none: it does nothing to stop attackers. It’s like installing a security camera that only records but never alerts anyone. You’re watching the robbery happen in real-time and doing nothing about it. Attackers know this.

They specifically target domains with weak or missing DMARC policies because they know their spoofed emails will land in inboxes.

We found domains you’d expect to have bulletproof security, brands handling sensitive data, financial transactions, healthcare information, still running without any DMARC record at all. In early 2026. Let that sink in.

Why this matters beyond the Fortune 500

You might think: “I’m not Google. Why should I care what the big players are doing?”

Here’s why: attackers don’t just target the big fish. They impersonate them. If a major brand has weak DMARC, phishers use that brand’s name to trick your employees, your customers, your partners. The whole ecosystem suffers.

And if you’re a smaller business looking at this data, there’s another lesson. If companies with dedicated security teams and unlimited budgets still struggle with email authentication, it tells you something important: this stuff is hard. But it’s also fixable. The path from p=none to p=reject is well-documented. We’ve helped hundreds of businesses make that journey.

What we track and why

Our index monitors four things.

First, DMARC policy distribution: how many domains are at reject, quarantine, none, or missing entirely. This shows where the industry stands on enforcement.

Second, policy upgrades. When a domain strengthens its policy, like moving from none to quarantine or quarantine to reject, that’s a win worth celebrating.

Third, new adoptions. Domains that add DMARC for the first time. Better late than never.

Fourth, SPF and BIMI coverage. DMARC doesn’t work alone. SPF authorizes your sending IPs. BIMI adds your logo to authenticated emails. The full stack matters.

We refresh this data daily. No stale snapshots. You’re seeing the internet’s email security posture in near real-time.

The road ahead

I started DMARCTrust because I spent a decade watching deliverability problems that could have been prevented with proper authentication. The same pain points kept appearing: misconfigured SPF records, missing DKIM signatures, DMARC policies that were never enforced.

This index is our way of holding up a mirror to the industry. Not to shame anyone (we’ve all shipped code and configurations we’re not proud of), but to show that email security is a journey.

Some of the world’s biggest brands are still on that journey. They’re making progress. But there’s work to do.

If you’re reading this and your domain isn’t at p=reject yet, you’re not alone. But you should start moving. Check your domain with our free DMARC checker, set up monitoring, and begin the enforcement rollout. The phishers aren’t waiting.

And if you want to see how you stack up against the top 100? Check the index. It updates every day. Let’s see if we can push those numbers higher, together.