Defaults.Exposed › Reports
Publishing SPF Isn't Enough: The False Sense of Email Security (2026)
Published 2026-06-29
Figures as of 2026-06-29 · methodology v7. Aggregate census data joining checks per domain across 261 million graded domains. “Enforcing” = a DMARC policy of
quarantineorreject. See how we grade.
Part of the DMARC pillar — DMARC adoption, maturity and league tables, measured across the whole census.
The most dangerous place to be in email security is feeling protected. 32.4% of domains publish SPF but have no DMARC at all — and 45.7% have SPF that isn’t backed by enforcement. These owners did something, saw “SPF: configured,” and stopped. But SPF alone doesn’t stop someone forging your visible “From” address — only enforced DMARC does. As of 2026-06-29, just 3.87% of domains are fully email-protected.
The gap between “configured” and “protected”
SPF checks which servers may send for you. It does not govern the “From” address a person actually sees, and it doesn’t tell receivers what to do on failure. That’s DMARC’s job. So SPF without an enforcing DMARC policy is a lock with no door behind it:
| State | Share of domains | Actually protected? |
|---|---|---|
| SPF published, no DMARC record at all | 32.4% | No |
| SPF published, DMARC not enforcing | 45.7% | No |
| Fully email-protected (SPF + DKIM + enforced DMARC) | 3.87% | Yes |
Read that middle row again: 45.7% of all domains have SPF but no enforcement — a near-majority of the internet sitting in the false-security zone. They are, for an attacker’s purposes, spoofable — and 89.4% of domains overall are.
The worst version: mail in, no guard on the door
It gets sharper for domains that actually receive email. 42.7% of domains accept mail (they have MX records) but have no working email authentication at all — no SPF enforcement, no DMARC. These are live, in-use domains whose owners send and receive every day, fully impersonable. The activity is exactly what makes them attractive targets for invoice fraud and supplier scams.
Why “we have SPF” became the trap
SPF is older, simpler, and the first thing most setup guides mention — so it’s the box that gets ticked. DMARC came later, sounds more advanced, and requires a deliberate progression to enforcement. The result is a huge population that adopted step one and never took step two, then carried on believing the job was done. The census makes the scale of that misconception visible for the first time: 32.4% with SPF and no DMARC at all.
How to actually get protected
- Keep your SPF, but don’t rely on it alone. (Fix SPF.)
- Add DKIM so your mail is signed. (Fix DKIM.)
- Publish DMARC and move it to enforcement (
p=none→quarantine→reject). This is the step that converts “configured” into “protected.” (Fix DMARC.)
Frequently asked questions
Is SPF enough to stop email spoofing? No. SPF doesn’t protect the visible “From” address or tell receivers to reject forgeries — only an enforcing DMARC policy does. 45.7% of domains have SPF without that enforcement.
I have an SPF record — am I protected?
Not on its own. You’re protected when SPF and DKIM are both in place and backed by DMARC set to quarantine or reject. Just 3.87% of domains reach all three.
What share of domains can still be impersonated? 89.4% — because they lack enforcing DMARC, regardless of whether they publish SPF.
Why is having mail (MX) without auth especially risky? 42.7% of domains actively send and receive email but have no working authentication — live, trusted domains that anyone can forge, which is exactly what fraudsters look for.
Check whether you’re actually protected
“We have SPF” is not the same as protected. Check your domain free and private — see whether your email can still be forged.
Check your domain → · Fix DMARC → · The domain exposure score → · p=none isn’t protection → · Aggregate data only. Data stored and processed in the EU.