Defaults.Exposed › Reports
SPF Is Not Enough: the 119 Million Domains That Never Enforce
Published 2026-07-03 · updated 2026-07-03
Figures as of 2026-06-29 · methodology v7. Census data joining checks per domain across 261 million graded domains. “Enforcing” = a DMARC policy of
quarantineorreject; “fully protected” = SPF and DKIM both in place, plus enforcing DMARC — the complete email-authentication triad. All figures are aggregate — we never publish an individual business’s grade.
The count: how many domains rely on SPF alone
SPF alone is not enough to stop email impersonation — and the census can now count how many domains are relying on it anyway: 119,212,005 (119 million) publish SPF but never enforce DMARC. That is 85.8% of every domain that bothered to set SPF up. Its companion piece, SPF without DMARC, explains the mechanism — why SPF can’t defend the “From” address a person actually sees; this article measures the population — how many domains that gap leaves exposed, and what the shape of the exposure is.
The short version: setting up SPF is the most common act of email security on the internet, and for the overwhelming majority of the domains that did it, it is also the last.
The three populations
139 million domains — 138,911,937 of them — publish an SPF record. Split by what stands behind it:
| Population | Domains | Share of SPF publishers |
|---|---|---|
| SPF published, no DMARC record at all | 84,638,430 | 60.9% |
| SPF published, DMARC present but never enforced (superset, includes the row above) | 119,212,005 | 85.8% |
| SPF + DKIM, backed by enforcing DMARC | 10,092,481 | — |
The rows don’t sum to the SPF total: the remainder are SPF publishers whose DMARC does enforce but whose DKIM isn’t fully in place — enforcing, yet short of the complete triad the bottom row counts.
The middle row is the headline: roughly 119 million domains did the work of declaring their legitimate senders and then never told the world’s inboxes to act on it. And the bottom row is the punchline: across all 261 million graded domains, just 3.87% — about 10 million — are fully email-protected. Full protection is not a high bar technically; it is simply the finish of a journey that 119 million domains started and stopped.
Why the count is so lopsided
SPF is where every setup guide begins, where most mail providers’ onboarding ends, and what most compliance checklists actually test. It produces a visible artefact — a TXT record — and a green tick in whatever tool checked it. Enforced DMARC produces the opposite experience: it demands a progression (publish, observe, identify senders, then enforce), and its reward is invisible — forged mail that quietly stops landing.
So the internet optimised for the tick. The census shows what that looks like at scale: 85 million domains (84,638,430) have SPF and no DMARC record of any kind — not even a p=none placeholder. These owners aren’t lazy; they followed the instructions they were given, and the instructions stopped early.
What “covered” actually means here
Consequence, not fear: a domain with SPF and no enforcing DMARC can still be impersonated in the one place humans look — the visible “From” line. SPF lets receiving servers verify which machines may send on the envelope domain’s behalf, but without DMARC there is no requirement that the visible sender matches anything SPF checked, and no instruction to reject mail that fails. The forged invoice, the fake password reset, the supplier-payment redirect — all remain deliverable to your customers and suppliers in your name, SPF record notwithstanding.
In the six stages of DMARC maturity, these 119 million domains are stuck in Stages 1–3 — the floor is built, or part-built, and the door was never fitted. The distance from there to protected is well understood and mostly procedural; what this census adds is the knowledge that almost nobody walks it.
If your domain is one of the 119 million
- Keep SPF — it’s a prerequisite, not a mistake. (Fix SPF →.)
- Add DKIM so your mail is signed as well as sourced. (Fix DKIM →.)
- Publish DMARC with reporting, then enforce —
p=nonewithrua=first, identify every legitimate sender, then move toquarantineandreject. This is the step that converts “configured” into “protected”. (Fix DMARC →.)
Frequently asked questions
Is SPF enough to protect a domain from spoofing? No. SPF validates sending servers against the envelope domain; it neither checks the visible “From” address nor tells receivers to reject failures. Only an enforcing DMARC policy does both — and 119,212,005 domains publish SPF without one.
How many domains have SPF but no DMARC at all? 84,638,430 — 60.9% of all SPF publishers have no DMARC record of any kind, not even monitoring mode.
How many domains are fully protected?
10,092,481 — 3.87% of the 261 million graded domains combine SPF and DKIM with a DMARC policy of quarantine or reject.
Does having SPF at least help? Yes — it is the foundation DMARC evaluates against, and it improves deliverability of your legitimate mail. It just doesn’t protect anything by itself; it’s step one of three, and the census shows most of the internet treated it as the whole staircase.
Check which population your domain is in
“We set up SPF” describes 139 million domains; “we’re protected” describes 10 million. Finding out which one you are takes a minute, privately and free — see which of the 34 checks you pass and how to fix the ones you don’t.
Check your domain → · The 6 stages of DMARC maturity → · The DMARC pillar → · Aggregate data only. Data stored and processed in the EU.