Email Authentication Report 2026: We Checked 186 Domains
Published June 2026 · By The InboxGreen Team · Methodology
In June 2026, InboxGreen ran automated SPF, DKIM, and DMARC checks against 186 publicly known domains across email service providers, SaaS companies, Shopify stores, and WordPress hosting platforms. Only 69.4% passed all three checks. Here is what we found.
Key Findings
69.4%
of domains passed SPF, DKIM, and DMARC. Nearly 1 in 3 had at least one gap
19.3%
had weak or missing DMARC enforcement: policy set to p=none or no DMARC record at all
14%
had no DKIM record detected on any tested selector at the time of scanning
3.2%
had zero DMARC record, leaving their domain completely exposed to spoofing
SPF Results
SPF was the strongest of the three. Most domains have an SPF record, but softfail (~all) instead of hard fail (-all) is common, which reduces protection without breaking delivery.
DKIM Results
DKIM had the widest gap. 14% of domains had no DKIM record detectable on standard selectors. It is worth noting that some of these domains may use non-standard DKIM selectors not included in our probe list; see Methodology for details. Even accounting for this, a meaningful number of domains appear to lack DKIM entirely.
DMARC Results
DMARC showed the most variation. Having a DMARC record at p=none means the domain owner receives reports but mail providers take no action against spoofed messages. It offers zero protection.
DMARC Policy Breakdown
Findings by Category
| Category | Domains | All Three Pass | DMARC Weak or Missing | DKIM Not Detected |
|---|---|---|---|---|
| Email Service Providers | 24 | 83% | 12.5% (3 on p=none) | 8% (2 domains) |
| SaaS Platforms | 38 | 71% | 13% (5 on p=none) | 13% (5 domains) |
| Shopify Stores | 28 | 57% | 32% (9 domains) | 18% (5 domains) |
| WordPress Hosting | 18 | 61% | 33% (6 domains) | 33% (6 domains) |
| SEO and Marketing Tools | 12 | 75% | 17% (2 domains) | 17% (2 domains) |
| Developer Tools and Hosting | 12 | 92% | 0% | 8% (1 domain) |
| E-commerce Brands | 16 | 75% | 6% | 13% |
| Content and Publishing | 18 | 72% | 22% (4 on p=none) | 0% |
| Small SaaS and Indie Tools | 20 | 65% | 25% | 10% |
Shopify stores and WordPress hosting platforms showed the highest rates of weak or missing DMARC. Developer tool companies (Cloudflare, DigitalOcean, Netlify, Vercel, etc.) had the strongest overall authentication hygiene.
Notable Individual Findings
The following observations are based on publicly available DNS records queried in June 2026. All DNS records are intentionally public. They are read by every mail server that processes incoming email.
Email tools with p=none DMARC
Three well-known email marketing platforms (ConvertKit, Drip, and Campaign Monitor) had DMARC records set to p=none at the time of scanning. This means they monitor for spoofing but do not instruct receiving servers to block or quarantine suspicious messages. These are companies that send email on behalf of their customers and publish guidance on DMARC best practices.
Shopify stores with missing DMARC
Among the 28 Shopify stores scanned, two had no DMARC record at all (olipop.com, ridgewallet.com) and one had SPF returning a fail result, DKIM not detected on any tested selector, and no DMARC record found (ouai.com). These are direct-to-consumer brands that rely on email for order confirmations, shipping updates, and marketing, making deliverability directly tied to revenue.
WordPress hosting providers with p=none
Bluehost, Dreamhost, and Hostgator (three of the most recommended WordPress hosts) all had DMARC set to p=none on their own domains. Flywheel had no DMARC record at all. These companies actively recommend DMARC to their customers in their documentation.
Developer infrastructure with missing authentication
Flywheel (WordPress hosting) and contentmarketinginstitute.com both had no DMARC record. Backlinko.com had SPF returning a fail result and DKIM not detected on any tested selector at the time of scanning, a notable finding for a widely-read SEO publication given that SPF and DMARC are topics frequently covered on that site.
All Domains with Issues
The table below shows every domain from our scan that had at least one SPF, DKIM, or DMARC problem. Domains where all three passed are excluded. All data is from public DNS records queried June 3, 2026.
| Domain | Category | SPF | DKIM | DMARC | DMARC Policy |
|---|---|---|---|---|---|
| convertkit.com | Email tool | PASS | PASS | WARN | NONE |
| drip.com | Email tool | PASS | PASS | WARN | NONE |
| campaignmonitor.com | Email tool | PASS | PASS | WARN | NONE |
| emailoctopus.com | Email tool | WARN | PASS | PASS | REJECT |
| sendgrid.com | Email tool | PASS | FAIL | PASS | REJECT |
| sparkpost.com | Email tool | WARN | PASS | PASS | REJECT |
| elasticemail.com | Email tool | PASS | FAIL | PASS | QUARANTINE |
| webflow.com | SaaS | WARN | PASS | PASS | REJECT |
| notion.so | SaaS | PASS | FAIL | PASS | QUARANTINE |
| plausible.io | SaaS | PASS | FAIL | PASS | QUARANTINE |
| paddle.com | SaaS | PASS | FAIL | PASS | REJECT |
| gumroad.com | SaaS | WARN | PASS | WARN | NONE |
| podia.com | SaaS | PASS | FAIL | WARN | NONE |
| circle.so | SaaS | PASS | PASS | WARN | NONE |
| hubspot.com | SaaS | WARN | PASS | PASS | REJECT |
| asana.com | SaaS | PASS | PASS | PASS | QUARANTINE |
| chubbies.com | Shopify store | PASS | PASS | WARN | NONE |
| colourpop.com | Shopify store | WARN | PASS | PASS | REJECT |
| graza.co | Shopify store | WARN | PASS | WARN | NONE |
| olipop.com | Shopify store | PASS | FAIL | FAIL | MISSING |
| ridgewallet.com | Shopify store | PASS | FAIL | FAIL | MISSING |
| wandrd.com | Shopify store | PASS | PASS | WARN | NONE |
| ruggable.com | Shopify store | WARN | PASS | WARN | NONE |
| puravidabracelets.com | Shopify store | PASS | PASS | WARN | NONE |
| functionofbeauty.com | Shopify store | WARN | PASS | WARN | NONE |
| ouai.com | Shopify store | FAIL | FAIL | FAIL | MISSING |
| tuftandneedle.com | Shopify store | PASS | FAIL | PASS | QUARANTINE |
| wordpress.org | WordPress | PASS | FAIL | PASS | REJECT |
| kinsta.com | WordPress hosting | PASS | FAIL | PASS | REJECT |
| bluehost.com | WordPress hosting | WARN | PASS | WARN | NONE |
| dreamhost.com | WordPress hosting | PASS | FAIL | WARN | NONE |
| hostgator.com | WordPress hosting | PASS | PASS | WARN | NONE |
| generatepress.com | WordPress | PASS | FAIL | WARN | NONE |
| elegantthemes.com | WordPress | PASS | FAIL | WARN | NONE |
| flywheel.com | WordPress hosting | PASS | FAIL | FAIL | MISSING |
| backlinko.com | SEO / Marketing | FAIL | FAIL | WARN | NONE |
| wordstream.com | SEO / Marketing | PASS | PASS | WARN | NONE |
| contentmarketinginstitute.com | SEO / Marketing | PASS | FAIL | FAIL | MISSING |
| copyblogger.com | SEO / Marketing | PASS | FAIL | WARN | NONE |
| etsy.com | E-commerce | WARN | PASS | PASS | REJECT |
| chewy.com | E-commerce | WARN | PASS | PASS | REJECT |
| zappos.com | E-commerce | PASS | FAIL | PASS | QUARANTINE |
| teepublic.com | E-commerce | PASS | PASS | WARN | NONE |
| bitbucket.org | Dev tools | PASS | FAIL | PASS | REJECT |
| buttondown.email | Publishing | PASS | PASS | WARN | NONE |
| indiehackers.com | Publishing | PASS | PASS | WARN | NONE |
| ycombinator.com | Publishing | PASS | PASS | WARN | NONE |
| venturebeat.com | Publishing | PASS | PASS | WARN | NONE |
| alistapart.com | Publishing | WARN | PASS | WARN | NONE |
| riverside.fm | Indie SaaS | PASS | PASS | WARN | NONE |
| helpscout.com | Indie SaaS | PASS | PASS | WARN | NONE |
| crisp.chat | Indie SaaS | WARN | FAIL | PASS | REJECT |
| tidio.com | Indie SaaS | PASS | FAIL | PASS | REJECT |
| bonsai.finance | Indie SaaS | PASS | FAIL | FAIL | MISSING |
| 17hats.com | Indie SaaS | PASS | FAIL | PASS | QUARANTINE |
| freshbooks.com | Indie SaaS | WARN | PASS | PASS | QUARANTINE |
57 of 186 domains (30.6%) had at least one issue. Domains not listed passed all three checks at the time of scanning.
Why This Matters in 2026
In February 2024, Google and Yahoo introduced sender authentication requirements for bulk email: SPF or DKIM authentication is mandatory, and DMARC at minimum p=none is required for senders sending more than 5,000 messages per day to Gmail. These requirements have tightened further throughout 2024 and 2025.
Despite these requirements being public and widely covered, a significant portion of well-known domains have not moved beyond p=none or have gaps in DKIM coverage. The risk is real: domains with weak DMARC are easier to spoof, and spoofed email damages both sender reputation and recipient trust.
The compound finding is stark: only 69.4% of the domains we checked had all three records (SPF, DKIM, DMARC) fully configured and passing. If this rate holds across the broader web (and there is no reason to think well-known companies perform worse than average), the actual exposure across all email-sending domains is significant.
Check and Fix Your Own Domain
If this report made you wonder about your own domain's authentication, these tools check it in seconds.
See your live SPF record and count DNS lookups. Catches duplicate records and syntax errors.
Look up any DKIM selector on any domain. Shows whether the key exists and its length.
Fetch your live DMARC record and check the policy, pct, and reporting address.
Paste raw email headers to see SPF, DKIM, and DMARC results from an actual sent message.
Related Guides
PermError, multiple records, softfail vs hardfail, and alignment failures explained with fixes.
Selector not found, body hash mismatch, key length, and why DKIM passes but DMARC still fails.
Alignment failures, missing reports, policy progression from p=none to p=reject.
For step-by-step setup instructions per provider, see the Email Authentication Guides: Google Workspace, Microsoft 365, SendGrid, Mailgun, Brevo, Shopify, and more.
Check your own domain
Run your domain through InboxGreen's free checker. See your SPF, DKIM, and DMARC status in under 10 seconds, no signup required.
Methodology
Data collection: All checks were performed using InboxGreen's DNS-based SPF, DKIM, and DMARC checker in June 2026. The tool queries public DNS records using PHP's DNS resolution functions. No emails were sent. No private systems were accessed.
Domain selection: 186 domains were selected across nine categories: email service providers, SaaS platforms, Shopify stores, WordPress hosting providers, SEO and marketing tools, developer tools, e-commerce brands, content and publishing sites, and small SaaS tools. Domains were selected based on public recognition within their category, not performance on any metric.
SPF: A domain passes SPF if it has exactly one valid SPF TXT record starting with v=spf1. A warning is issued for ~all (softfail) instead of -all (hardfail). Failure is recorded for missing, malformed, or multiple SPF records.
DKIM: DKIM is checked by probing a predefined list of common DKIM selectors including: selector1, selector2, default, google, mail, smtp, amazonses, sendgrid, mailgun, postmark, sparkpost, zoho, mailjet, sendinblue, mandrill, protonmail, protonmail2, protonmail3, brevo1, brevo2, and others. A DKIM "fail" in this report means no valid DKIM record was found on any of these selectors. It does not guarantee DKIM is absent. Domains using custom or provider-specific selectors not in our list may be falsely reported as failing.
DMARC: A domain passes DMARC if it has a valid _dmarc TXT record with p=quarantine or p=reject. A warning is issued for p=none. Failure is recorded for missing or malformed records.
Date of scan: June 3, 2026. DNS records change over time. Domains that failed at the time of scanning may have since corrected their configuration.
Raw data: The full CSV dataset is available for download. Download the raw CSV (186 domains). You can also run your own domain check to verify current status.