The State of Email Security 2026
Even the world's biggest brands leave the door open. We scanned 107 of the most-visited companies and found 13% can still be spoofed.
13%
of top brands can still be spoofed
no enforced DMARC policy (p=none or missing)
5%
deploy MTA-STS
the other 95% leave inbound mail unprotected in transit
66%
enforce p=reject
the strongest DMARC policy; 1 in 3 stop short
19%
have no DKIM at common selectors
their messages are harder to authenticate
What we found
DMARC adoption is high but not complete. 87% of these brands enforce a DMARC policy of quarantine or reject, yet 13% still publish p=none or no DMARC at all, which means anyone can send email that appears to come from them. Among enforcers, a third stop at quarantine rather than the stronger p=reject.
Transport security is the neglected layer. Only 5% of these brands publish MTA-STS, the record that forces inbound mail to be encrypted and prevents downgrade attacks. It is the single biggest gap we found, even among companies with otherwise strong authentication.
The basics are mostly solid. 89% have a valid SPF record, and the average grade across all 107 domains was an A. But 19% expose no DKIM key at the selectors mail providers commonly check, and a broken record anywhere in the chain still lets legitimate mail land in spam.
The takeaway
If household-name brands with large security teams still leave these gaps, most organizations have more. Email authentication is not a one-time setup: records drift, providers change, and a single edit can undo years of work. The fix is to check regularly and enforce the strongest policy your senders allow.
How we measured this
In July 2026 we ran the SPFWise engine against 107 of the world's most-visited brands across technology, finance, retail, media and SaaS, using only their public DNS records. Every figure reflects exactly what a receiving mail server sees. No private data and no cooperation from the brands was involved.
Check your own domain
Get the same grade and the exact records to fix, free and in seconds.