We put the top 100 domains under the microscope. Here's what we found.
We built a live dashboard tracking DMARC adoption across the world's most popular websites. The results reveal how far email security has come, and how much work remains.
In 2012, a small group of engineers from Google, Microsoft, Yahoo, and PayPal sat in a room with a shared frustration: email was broken. Despite years of work on SPF and DKIM, phishing attacks kept slipping through. The protocols worked in isolation, but nobody had connected the dots. That meeting gave birth to DMARC.
Twelve years later, I found myself staring at a similar question.
We built DMARCTrust to help businesses protect their email, but I kept wondering: how are the giants doing? The companies that send billions of emails, that have security teams larger than most startups, that should have figured this out years ago. Are they actually walking the walk?
So we built something to find out.
Our real-time DMARC index
Today, weâre launching our Real-Time DMARC State of Top 100 Domains, a live dashboard tracking email authentication across the worldâs most popular websites.
We pull from Cloudflare Radarâs domain rankings (the same data that powers their 1.1.1.1 resolver insights) and check every domainâs DMARC, SPF, and BIMI records daily.
The results? Eye-opening.
The good news first
Letâs start with whatâs working. The majority of top domains now have DMARC records in place. Thatâs a massive shift from even five years ago.
The 2024 mandates from Google and Yahoo, which require DMARC for bulk senders, clearly moved the needle.
Weâre also seeing more domains at p=reject, the strictest enforcement level that tells receiving servers to flat-out refuse unauthenticated emails. This is the gold standard. It means those brands are serious about preventing spoofing.
What keeps me up at night
For every domain running p=reject, there are others still stuck at p=none. Monitor mode.
The âIâll get to it eventuallyâ setting.
Hereâs the thing about p=none: it does nothing to stop attackers. Itâs like installing a security camera that only records but never alerts anyone. Youâre watching the robbery happen in real-time and doing nothing about it. Attackers know this.
They specifically target domains with weak or missing DMARC policies because they know their spoofed emails will land in inboxes.
We found domains youâd expect to have bulletproof security, brands handling sensitive data, financial transactions, healthcare information, still running without any DMARC record at all. In early 2026. Let that sink in.
Why this matters beyond the Fortune 500
You might think: âIâm not Google. Why should I care what the big players are doing?â
Hereâs why: attackers donât just target the big fish. They impersonate them. If a major brand has weak DMARC, phishers use that brandâs name to trick your employees, your customers, your partners. The whole ecosystem suffers.
And if youâre a smaller business looking at this data, thereâs another lesson. If companies with dedicated security teams and unlimited budgets still struggle with email authentication, it tells you something important: this stuff is hard. But itâs also fixable. The path from p=none to p=reject is well-documented. Weâve helped hundreds of businesses make that journey.
What we track and why
Our index monitors four things.
First, DMARC policy distribution: how many domains are at reject, quarantine, none, or missing entirely. This shows where the industry stands on enforcement.
Second, policy upgrades. When a domain strengthens its policy, like moving from none to quarantine or quarantine to reject, thatâs a win worth celebrating.
Third, new adoptions. Domains that add DMARC for the first time. Better late than never.
Fourth, SPF and BIMI coverage. DMARC doesnât work alone. SPF authorizes your sending IPs. BIMI adds your logo to authenticated emails. The full stack matters.
We refresh this data daily. No stale snapshots. Youâre seeing the internetâs email security posture in near real-time.
How well-known brands score
Not all top domains are equal. Some household names run tight setups. Others are surprisingly behind.
At the top end: Wells Fargo and Yelp both sit at 96%. WordPress.com is at 95%. Zoom and Whitehouse.gov land at 91%. Washington Post at 90%. For these, enforcement is largely in place.
In the middle of the pack: Zillow at 88%, Tumblr at 87%, Walmart at 76%, YouTube at 75%, X (Twitter) at 75%, WhatsApp at 72%, VK at 71%, Wikipedia at 71%. These domains have DMARC in place but havenât reached full enforcement.
Further back: Weibo at 65%, Yandex at 60%, Zoho, Twitch, and Weather.com all at 55%. A DMARC record exists, but itâs doing little to stop spoofing. Each of these represents a brand that attackers can and do impersonate.
You can check any domain directly using our free DMARC checker.
The road ahead
I started DMARCTrust because I spent a decade watching deliverability problems that could have been prevented with proper authentication. The same pain points kept appearing: misconfigured SPF records, missing DKIM signatures, DMARC policies that were never enforced.
This index is our way of holding up a mirror to the industry. Not to shame anyone (weâve all shipped code and configurations weâre not proud of), but to show that email security is a journey.
Some of the worldâs biggest brands are still on that journey. Theyâre making progress. But thereâs work to do.
If youâre reading this and your domain isnât at p=reject yet, youâre not alone. But you should start moving. Check your domain with our free DMARC checker, set up monitoring, and begin the enforcement rollout. The phishers arenât waiting.
And if you want to see how you stack up against the top 100? Check the index. It updates every day. Letâs see if we can push those numbers higher, together.
