In June 2026, we ran automated SPF, DKIM, and DMARC checks against 186 publicly
known domains across email tools, SaaS platforms, Shopify stores, WordPress hosting
providers, and developer infrastructure companies.
The goal was simple: how well do well-known, technical companies actually handle
email authentication on their own domains?
The answer was worse than expected.
The numbers
- 90.3% had a passing SPF record
- 86% had detectable DKIM (on standard selectors)
- 81.7% had enforced DMARC (p=quarantine or p=reject)
- 69.4% passed all three checks together
Nearly 1 in 3 well-known domains had at least one gap.
What each check means
SPF tells receiving mail servers which IP addresses are allowed to send email
for your domain. A missing or misconfigured SPF record means any server can send
as you.
DKIM adds a cryptographic signature to outgoing mail. Receivers verify the
signature against a public key in your DNS. If DKIM is missing, spoofed messages
are indistinguishable from real ones.
DMARC ties SPF and DKIM together and tells receivers what to do when mail
fails both checks. p=none means do nothing. p=quarantine means send to spam.
p=reject means block it entirely.
Category breakdown
| Category | Domains | All Three Pass |
|---|---|---|
| Developer Tools | 12 | 92% |
| Email Service Providers | 24 | 83% |
| SaaS Platforms | 38 | 71% |
| E-commerce | 16 | 75% |
| Shopify Stores | 28 | 57% |
| WordPress Hosting | 18 | 61% |
Developer tool companies (Cloudflare, Vercel, Netlify, DigitalOcean, GitHub) had
the strongest authentication hygiene by a significant margin. Shopify stores and
WordPress hosts had the worst.
Some findings worth noting
Bluehost, Dreamhost, and Hostgator all had DMARC at p=none on their own
domains. These three companies actively recommend DMARC to their customers in
their own documentation.
Backlinko.com had SPF returning a fail result and DKIM not detected on any
tested selector. This is a widely-read SEO publication that covers email
deliverability topics.
Flywheel (WordPress hosting) had no DMARC record at all.
Three email marketing platforms (ConvertKit, Drip, Campaign Monitor) had
DMARC at p=none. These are companies that send email on behalf of their
customers and publish guidance on DMARC best practices.
How we ran the checks
All checks used DNS lookups against public records. No emails were sent. No
private systems were accessed.
DKIM is checked by probing a predefined list of common selectors: selector1,
selector2, default, google, mail, smtp, amazonses, sendgrid,
mailgun, postmark, sparkpost, zoho, protonmail, and others. A DKIM
fail in this report means no valid record was found on any of those selectors.
Domains using custom selectors not in our list may appear as failing even if
DKIM is actually configured.
Date of scan: June 3, 2026. DNS records change over time.
Check your own domain
The tool we used is free and takes about 10 seconds. No signup required.
Run a free check on your domain
Full report with category breakdown, domain table, and raw CSV download:
Top comments (0)