Email Authentication Report 2026: We Checked 186 Domains
Published June 2026 · By The InboxGreen Team · Methodology
In June 2026, InboxGreen ran automated SPF, DKIM, and DMARC checks against 186 publicly known domains across email service providers, SaaS companies, Shopify stores, and WordPress hosting platforms. Only 69.4% passed all three checks. Here is what we found.
Key Findings
69.4%
of domains passed SPF, DKIM, and DMARC. Nearly 1 in 3 had at least one gap
19.3%
had weak or missing DMARC enforcement: policy set to p=none or no DMARC record at all
14%
had undetectable DKIM. No DKIM record found on any common selector
3.2%
had zero DMARC record, leaving their domain completely exposed to spoofing
SPF Results
SPF was the strongest of the three. Most domains have an SPF record, but softfail (~all) instead of hard fail (-all) is common, which reduces protection without breaking delivery.
DKIM Results
DKIM had the widest gap. 14% of domains had no DKIM record detectable on standard selectors. It is worth noting that some of these domains may use non-standard DKIM selectors not included in our probe list; see Methodology for details. Even accounting for this, a meaningful number of domains appear to lack DKIM entirely.
DMARC Results
DMARC showed the most variation. Having a DMARC record at p=none means the domain owner receives reports but mail providers take no action against spoofed messages. It offers zero protection.
DMARC Policy Breakdown
Findings by Category
| Category | Domains | All Three Pass | DMARC Weak or Missing | DKIM Not Detected |
|---|---|---|---|---|
| Email Service Providers | 24 | 83% | 12.5% (3 on p=none) | 8% (2 domains) |
| SaaS Platforms | 38 | 71% | 13% (5 on p=none) | 13% (5 domains) |
| Shopify Stores | 28 | 57% | 32% (9 domains) | 18% (5 domains) |
| WordPress Hosting | 18 | 61% | 33% (6 domains) | 33% (6 domains) |
| SEO and Marketing Tools | 12 | 75% | 17% (2 domains) | 17% (2 domains) |
| Developer Tools and Hosting | 12 | 92% | 0% | 8% (1 domain) |
| E-commerce Brands | 16 | 75% | 6% | 13% |
| Content and Publishing | 18 | 72% | 22% (4 on p=none) | 0% |
| Small SaaS and Indie Tools | 20 | 65% | 25% | 10% |
Shopify stores and WordPress hosting platforms showed the highest rates of weak or missing DMARC. Developer tool companies (Cloudflare, DigitalOcean, Netlify, Vercel, etc.) had the strongest overall authentication hygiene.
Notable Individual Findings
The following observations are based on publicly available DNS records queried in June 2026. All DNS records are intentionally public. They are read by every mail server that processes incoming email.
Email tools with p=none DMARC
Three well-known email marketing platforms (ConvertKit, Drip, and Campaign Monitor) had DMARC records set to p=none at the time of scanning. This means they monitor for spoofing but do not instruct receiving servers to block or quarantine suspicious messages. These are companies that send email on behalf of their customers and publish guidance on DMARC best practices.
Shopify stores with missing DMARC
Among the 28 Shopify stores scanned, two had no DMARC record at all (olipop.com, ridgewallet.com) and one had SPF, DKIM, and DMARC all failing (ouai.com). These are direct-to-consumer brands that rely on email for order confirmations, shipping updates, and marketing, making deliverability directly tied to revenue.
WordPress hosting providers with p=none
Bluehost, Dreamhost, and Hostgator (three of the most recommended WordPress hosts) all had DMARC set to p=none on their own domains. Flywheel had no DMARC record at all. These companies actively recommend DMARC to their customers in their documentation.
Developer infrastructure with missing authentication
Flywheel (WordPress hosting) and contentmarketinginstitute.com both had no DMARC record. Backlinko.com had SPF failing and DKIM undetected, a surprising finding for a widely-read SEO publication given that SPF and DMARC are SEO-adjacent topics frequently covered on that site.
All Domains with Issues
The table below shows every domain from our scan that had at least one SPF, DKIM, or DMARC problem. Domains where all three passed are excluded. All data is from public DNS records queried June 3, 2026.
| Domain | Category | SPF | DKIM | DMARC | DMARC Policy |
|---|---|---|---|---|---|
| convertkit.com | Email tool | PASS | PASS | WARN | NONE |
| drip.com | Email tool | PASS | PASS | WARN | NONE |
| campaignmonitor.com | Email tool | PASS | PASS | WARN | NONE |
| emailoctopus.com | Email tool | WARN | PASS | PASS | REJECT |
| sendgrid.com | Email tool | PASS | FAIL | PASS | REJECT |
| sparkpost.com | Email tool | WARN | PASS | PASS | REJECT |
| elasticemail.com | Email tool | PASS | FAIL | PASS | QUARANTINE |
| webflow.com | SaaS | WARN | PASS | PASS | REJECT |
| notion.so | SaaS | PASS | FAIL | PASS | QUARANTINE |
| plausible.io | SaaS | PASS | FAIL | PASS | QUARANTINE |
| paddle.com | SaaS | PASS | FAIL | PASS | REJECT |
| gumroad.com | SaaS | WARN | PASS | WARN | NONE |
| podia.com | SaaS | PASS | FAIL | WARN | NONE |
| circle.so | SaaS | PASS | PASS | WARN | NONE |
| hubspot.com | SaaS | WARN | PASS | PASS | REJECT |
| asana.com | SaaS | PASS | PASS | PASS | QUARANTINE |
| chubbies.com | Shopify store | PASS | PASS | WARN | NONE |
| colourpop.com | Shopify store | WARN | PASS | PASS | REJECT |
| graza.co | Shopify store | WARN | PASS | WARN | NONE |
| olipop.com | Shopify store | PASS | FAIL | FAIL | MISSING |
| ridgewallet.com | Shopify store | PASS | FAIL | FAIL | MISSING |
| wandrd.com | Shopify store | PASS | PASS | WARN | NONE |
| ruggable.com | Shopify store | WARN | PASS | WARN | NONE |
| puravidabracelets.com | Shopify store | PASS | PASS | WARN | NONE |
| functionofbeauty.com | Shopify store | WARN | PASS | WARN | NONE |
| ouai.com | Shopify store | FAIL | FAIL | FAIL | MISSING |
| tuftandneedle.com | Shopify store | PASS | FAIL | PASS | QUARANTINE |
| wordpress.org | WordPress | PASS | FAIL | PASS | REJECT |
| kinsta.com | WordPress hosting | PASS | FAIL | PASS | REJECT |
| bluehost.com | WordPress hosting | WARN | PASS | WARN | NONE |
| dreamhost.com | WordPress hosting | PASS | FAIL | WARN | NONE |
| hostgator.com | WordPress hosting | PASS | PASS | WARN | NONE |
| generatepress.com | WordPress | PASS | FAIL | WARN | NONE |
| elegantthemes.com | WordPress | PASS | FAIL | WARN | NONE |
| flywheel.com | WordPress hosting | PASS | FAIL | FAIL | MISSING |
| backlinko.com | SEO / Marketing | FAIL | FAIL | WARN | NONE |
| wordstream.com | SEO / Marketing | PASS | PASS | WARN | NONE |
| contentmarketinginstitute.com | SEO / Marketing | PASS | FAIL | FAIL | MISSING |
| copyblogger.com | SEO / Marketing | PASS | FAIL | WARN | NONE |
| etsy.com | E-commerce | WARN | PASS | PASS | REJECT |
| chewy.com | E-commerce | WARN | PASS | PASS | REJECT |
| zappos.com | E-commerce | PASS | FAIL | PASS | QUARANTINE |
| teepublic.com | E-commerce | PASS | PASS | WARN | NONE |
| bitbucket.org | Dev tools | PASS | FAIL | PASS | REJECT |
| buttondown.email | Publishing | PASS | PASS | WARN | NONE |
| indiehackers.com | Publishing | PASS | PASS | WARN | NONE |
| ycombinator.com | Publishing | PASS | PASS | WARN | NONE |
| venturebeat.com | Publishing | PASS | PASS | WARN | NONE |
| alistapart.com | Publishing | WARN | PASS | WARN | NONE |
| riverside.fm | Indie SaaS | PASS | PASS | WARN | NONE |
| helpscout.com | Indie SaaS | PASS | PASS | WARN | NONE |
| crisp.chat | Indie SaaS | WARN | FAIL | PASS | REJECT |
| tidio.com | Indie SaaS | PASS | FAIL | PASS | REJECT |
| bonsai.finance | Indie SaaS | PASS | FAIL | FAIL | MISSING |
| 17hats.com | Indie SaaS | PASS | FAIL | PASS | QUARANTINE |
| freshbooks.com | Indie SaaS | WARN | PASS | PASS | QUARANTINE |
57 of 186 domains (30.6%) had at least one issue. Domains not listed passed all three checks at the time of scanning.
Why This Matters in 2026
In February 2024, Google and Yahoo introduced sender authentication requirements for bulk email: SPF or DKIM authentication is mandatory, and DMARC at minimum p=none is required for senders sending more than 5,000 messages per day to Gmail. These requirements have tightened further throughout 2024 and 2025.
Despite these requirements being public and widely covered, a significant portion of well-known domains have not moved beyond p=none or have gaps in DKIM coverage. The risk is real: domains with weak DMARC are easier to spoof, and spoofed email damages both sender reputation and recipient trust.
The compound finding is stark: only 69.4% of the domains we checked had all three records (SPF, DKIM, DMARC) fully configured and passing. If this rate holds across the broader web (and there is no reason to think well-known companies perform worse than average), the actual exposure across all email-sending domains is significant.
Check your own domain
Run your domain through InboxGreen's free checker. See your SPF, DKIM, and DMARC status in under 10 seconds, no signup required.
Methodology
Data collection: All checks were performed using InboxGreen's DNS-based SPF, DKIM, and DMARC checker in June 2026. The tool queries public DNS records using PHP's DNS resolution functions. No emails were sent. No private systems were accessed.
Domain selection: 186 domains were selected across nine categories: email service providers, SaaS platforms, Shopify stores, WordPress hosting providers, SEO and marketing tools, developer tools, e-commerce brands, content and publishing sites, and small SaaS tools. Domains were selected based on public recognition within their category, not performance on any metric.
SPF: A domain passes SPF if it has exactly one valid SPF TXT record starting with v=spf1. A warning is issued for ~all (softfail) instead of -all (hardfail). Failure is recorded for missing, malformed, or multiple SPF records.
DKIM: DKIM is checked by probing a predefined list of common DKIM selectors including: selector1, selector2, default, google, mail, smtp, amazonses, sendgrid, mailgun, postmark, sparkpost, zoho, mailjet, sendinblue, mandrill, protonmail, protonmail2, protonmail3, brevo1, brevo2, and others. A DKIM "fail" in this report means no valid DKIM record was found on any of these selectors. It does not guarantee DKIM is absent. Domains using custom or provider-specific selectors not in our list may be falsely reported as failing.
DMARC: A domain passes DMARC if it has a valid _dmarc TXT record with p=quarantine or p=reject. A warning is issued for p=none. Failure is recorded for missing or malformed records.
Date of scan: June 3, 2026. DNS records change over time. Domains that failed at the time of scanning may have since corrected their configuration.
Raw data: The CSV output of this scan is available. Run your own domain check to verify current status.