Publishing DMARC is not enforcing it
Every "does it have DMARC?" audit treats a DMARC record as protection. It is not.
p=none is monitoring mode: the domain publishes a policy that instructs the
world to do nothing at all about mail forged in its name. It passes the checkbox and stops
zero attacks. A sector can be almost fully "DMARC-adopted" and almost entirely unprotected,
and nobody reports that, because reporting it means holding the policy and not just
the presence of a record.
Across the 48,228 domains we have an email-auth reading for,
59% publish DMARC.
32% of those publish p=none, which enforces nothing.
tranco_40k
17,911 scanned
6,084 enforcing
3,642 p=none (enforces nothing)
8,185 no DMARC
54% publish DMARC. Of those, 37% are p=none, which enforces nothing.
tranco_20k
8,351 scanned
3,095 enforcing
1,516 p=none (enforces nothing)
3,740 no DMARC
55% publish DMARC. Of those, 33% are p=none, which enforces nothing.
push_legacy
7,380 scanned
3,439 enforcing
1,414 p=none (enforces nothing)
2,527 no DMARC
66% publish DMARC. Of those, 29% are p=none, which enforces nothing.
tranco_10k
3,934 scanned
1,443 enforcing
743 p=none (enforces nothing)
1,748 no DMARC
56% publish DMARC. Of those, 34% are p=none, which enforces nothing.
tranco_5k
2,616 scanned
915 enforcing
379 p=none (enforces nothing)
1,322 no DMARC
49% publish DMARC. Of those, 29% are p=none, which enforces nothing.
fortune_500
931 scanned
521 enforcing
131 p=none (enforces nothing)
279 no DMARC
70% publish DMARC. Of those, 20% are p=none, which enforces nothing.
tranco_1k
513 scanned
194 enforcing
39 p=none (enforces nothing)
280 no DMARC
45% publish DMARC. Of those, 17% are p=none, which enforces nothing.
manufacturing
376 scanned
218 enforcing
80 p=none (enforces nothing)
78 no DMARC
79% publish DMARC. Of those, 27% are p=none, which enforces nothing.
media_entertainment
373 scanned
221 enforcing
68 p=none (enforces nothing)
84 no DMARC
77% publish DMARC. Of those, 24% are p=none, which enforces nothing.
pharma_biotech
328 scanned
180 enforcing
75 p=none (enforces nothing)
73 no DMARC
78% publish DMARC. Of those, 29% are p=none, which enforces nothing.
fashion_luxury
305 scanned
194 enforcing
45 p=none (enforces nothing)
66 no DMARC
78% publish DMARC. Of those, 19% are p=none, which enforces nothing.
web3_defi
292 scanned
172 enforcing
28 p=none (enforces nothing)
92 no DMARC
68% publish DMARC. Of those, 14% are p=none, which enforces nothing.
education_expanded
291 scanned
172 enforcing
110 p=none (enforces nothing)
9 no DMARC
97% publish DMARC. Of those, 39% are p=none, which enforces nothing.
consulting
288 scanned
201 enforcing
38 p=none (enforces nothing)
49 no DMARC
83% publish DMARC. Of those, 16% are p=none, which enforces nothing.
hospitality
287 scanned
151 enforcing
48 p=none (enforces nothing)
88 no DMARC
69% publish DMARC. Of those, 24% are p=none, which enforces nothing.
automotive
278 scanned
138 enforcing
55 p=none (enforces nothing)
85 no DMARC
69% publish DMARC. Of those, 28% are p=none, which enforces nothing.
cybersecurity_expanded
270 scanned
181 enforcing
29 p=none (enforces nothing)
60 no DMARC
78% publish DMARC. Of those, 14% are p=none, which enforces nothing.
fintech_expanded
261 scanned
186 enforcing
27 p=none (enforces nothing)
48 no DMARC
82% publish DMARC. Of those, 13% are p=none, which enforces nothing.
sports_entertainment
254 scanned
115 enforcing
55 p=none (enforces nothing)
84 no DMARC
67% publish DMARC. Of those, 32% are p=none, which enforces nothing.
insurance
253 scanned
132 enforcing
35 p=none (enforces nothing)
86 no DMARC
66% publish DMARC. Of those, 21% are p=none, which enforces nothing.
non_profit
237 scanned
132 enforcing
52 p=none (enforces nothing)
53 no DMARC
78% publish DMARC. Of those, 28% are p=none, which enforces nothing.
energy
235 scanned
121 enforcing
30 p=none (enforces nothing)
84 no DMARC
64% publish DMARC. Of those, 20% are p=none, which enforces nothing.
construction
219 scanned
111 enforcing
41 p=none (enforces nothing)
67 no DMARC
69% publish DMARC. Of those, 27% are p=none, which enforces nothing.
telecom
204 scanned
104 enforcing
45 p=none (enforces nothing)
55 no DMARC
73% publish DMARC. Of those, 30% are p=none, which enforces nothing.
government_expanded
194 scanned
113 enforcing
37 p=none (enforces nothing)
44 no DMARC
77% publish DMARC. Of those, 25% are p=none, which enforces nothing.
logistics_expanded
181 scanned
81 enforcing
41 p=none (enforces nothing)
59 no DMARC
67% publish DMARC. Of those, 34% are p=none, which enforces nothing.
real_estate_expanded
181 scanned
91 enforcing
42 p=none (enforces nothing)
48 no DMARC
73% publish DMARC. Of those, 32% are p=none, which enforces nothing.
legal_expanded
173 scanned
103 enforcing
26 p=none (enforces nothing)
44 no DMARC
75% publish DMARC. Of those, 20% are p=none, which enforces nothing.
agriculture
168 scanned
70 enforcing
27 p=none (enforces nothing)
71 no DMARC
58% publish DMARC. Of those, 28% are p=none, which enforces nothing.
aerospace
157 scanned
78 enforcing
34 p=none (enforces nothing)
45 no DMARC
71% publish DMARC. Of those, 30% are p=none, which enforces nothing.
crypto
63 scanned
58 enforcing
4 p=none (enforces nothing)
1 no DMARC
98% publish DMARC. Of those, 6% are p=none, which enforces nothing.
big_tech
57 scanned
53 enforcing
3 p=none (enforces nothing)
1 no DMARC
98% publish DMARC. Of those, 5% are p=none, which enforces nothing.
fintech
54 scanned
47 enforcing
5 p=none (enforces nothing)
2 no DMARC
96% publish DMARC. Of those, 10% are p=none, which enforces nothing.
misc
54 scanned
15 enforcing
6 p=none (enforces nothing)
33 no DMARC
39% publish DMARC. Of those, 29% are p=none, which enforces nothing.
devops
47 scanned
37 enforcing
4 p=none (enforces nothing)
6 no DMARC
87% publish DMARC. Of those, 10% are p=none, which enforces nothing.
security
47 scanned
47 enforcing
0 p=none (enforces nothing)
0 no DMARC
100% publish DMARC. Of those, 0% are p=none, which enforces nothing.
email_comms
44 scanned
37 enforcing
6 p=none (enforces nothing)
1 no DMARC
98% publish DMARC. Of those, 14% are p=none, which enforces nothing.
languages
44 scanned
21 enforcing
13 p=none (enforces nothing)
10 no DMARC
77% publish DMARC. Of those, 38% are p=none, which enforces nothing.
dev_tools
43 scanned
37 enforcing
2 p=none (enforces nothing)
4 no DMARC
91% publish DMARC. Of those, 5% are p=none, which enforces nothing.
media
43 scanned
29 enforcing
8 p=none (enforces nothing)
6 no DMARC
86% publish DMARC. Of those, 22% are p=none, which enforces nothing.
data_analytics
41 scanned
30 enforcing
7 p=none (enforces nothing)
4 no DMARC
90% publish DMARC. Of those, 19% are p=none, which enforces nothing.
ai_ml
40 scanned
31 enforcing
6 p=none (enforces nothing)
3 no DMARC
93% publish DMARC. Of those, 16% are p=none, which enforces nothing.
ecommerce
35 scanned
29 enforcing
5 p=none (enforces nothing)
1 no DMARC
97% publish DMARC. Of those, 15% are p=none, which enforces nothing.
infrastructure
33 scanned
14 enforcing
7 p=none (enforces nothing)
12 no DMARC
64% publish DMARC. Of those, 33% are p=none, which enforces nothing.
cloud
31 scanned
24 enforcing
2 p=none (enforces nothing)
5 no DMARC
84% publish DMARC. Of those, 8% are p=none, which enforces nothing.
developer
31 scanned
7 enforcing
2 p=none (enforces nothing)
22 no DMARC
29% publish DMARC. Of those, 22% are p=none, which enforces nothing.
cms
30 scanned
25 enforcing
4 p=none (enforces nothing)
1 no DMARC
97% publish DMARC. Of those, 14% are p=none, which enforces nothing.
banks
25 scanned
25 enforcing
0 p=none (enforces nothing)
0 no DMARC
100% publish DMARC. Of those, 0% are p=none, which enforces nothing.
government
25 scanned
16 enforcing
3 p=none (enforces nothing)
6 no DMARC
76% publish DMARC. Of those, 16% are p=none, which enforces nothing.
CAA: naming which authorities may issue a certificate
CAA is an issuance allowlist: it names which certificate authorities are allowed to issue a
certificate for a domain, which is a real defense against mis-issuance. There is a catch worth
knowing: a CAA record that carries only an iodef reporting address restricts
nobody - any CA can still issue - even though it passes a simple "has CAA?"
check. So the number that matters is not who publishes CAA, but who actually constrains issuance.
6,924actually restrict who may issue
201publish CAA that restricts nobody
10forbid all issuance (issue ";")
41,441publish no CAA at all
Of 48,576 domains we have a reading for, 15% publish any CAA, and 3% of those constrain no one.
security.txt: publishing where to report a problem, and keeping it current
RFC 9116 asks a domain to publish where to report a vulnerability, and makes an
Expires date mandatory - so a stale file cannot sit there forever
pointing at an inbox nobody reads. An expired security.txt can be worse than
none: it points a researcher at a contact the organisation may no longer be watching.
1,374publish a security.txt
180of those have EXPIRED (13%)
10,390publish none
1,945refused our read (unknown, not "none")
Read for 13,709 domains so far, and climbing as enrichment sweeps the catalog.
Computed only over domains we have actually taken an email-auth reading for. A domain we have
not scanned for this is unknown, never "has no DMARC" - absence of evidence is
not evidence of absence, and here that is the difference between a finding and a smear.
Sectors under 25 observed domains are omitted: below that the percentages are noise. Every
figure comes from a signed observation you can re-verify.