Defaults.Exposed › Reports
The Email Spoofability Index: How Many Domains Can Anyone Forge? (2026)
Published 2026-07-03
Figures as of 2026-06-29 · methodology v7. Aggregate census across 261 million graded domains — the internet as we measure it — joined per domain. All figures are aggregate; never an individual business’s grade. See how we grade.
How many domains can be spoofed?
9 in 10. 89.4% of the internet — 233,445,245 domains — publishes no policy that tells receivers to reject or junk mail that fails authentication. That is what we count as spoofable, and it is the attacker’s-eye view of the census: not “who started securing email”, but “who can still be impersonated”. Most domains have started — they publish SPF. Far fewer have finished, and the gap between those two verbs is the index.
What does “spoofable” mean here?
A precise definition, because this number gets quoted: a domain is spoofable when it publishes no DMARC policy at p=quarantine or p=reject — the only standardised instruction that makes every major receiver reject or junk a failed message. Some receivers do act on a strict SPF -all by itself, but that behaviour is discretionary and inconsistent across the world’s inboxes; DMARC enforcement is the instruction they all honour. So a spoofable domain isn’t necessarily undefended everywhere — it is undefended by policy, dependent on each receiver’s goodwill.
That’s also why publishing SPF alone doesn’t move a domain off this index: SPF identifies your genuine mail, but without enforcement nothing instructs receivers to act on the forgeries.
Which domain endings are most spoofable?
The share of graded domains lacking enforcing DMARC, by ending:
| TLD | Spoofable share |
|---|---|
| .xyz | 94.9% |
| .de | 78.6% |
| .com | 90.5% |
| .org | 90.0% |
| .uk | 86.6% |
| .nl | 70.6% |
No neighbourhood on the internet is safe — the spread between endings is degrees of exposure, not categories of it. Country-level extremes are their own story: see the most spoofable countries for the by-country league this index summarises.
The mail-server cut: live inboxes, no protection
Sharpest slice of the index: 42.7% of all graded domains run a live mail server while publishing no authentication at all — 111,369,509 domains that both receive real mail and offer forgers an unguarded name. These aren’t parked shells; they’re operating mail domains whose owners never fitted the locks.
Why this is the number that matters
Adoption statistics flatter the internet; spoofability measures what an attacker can still do. The fix is free at every step — SPF, DKIM, then a DMARC policy at p=reject — and each domain that finishes moves from the 9-in-10 to the protected few. The two articles are the same dataset read from opposite ends: this one counts the open doors; that one counts the locked ones.
Frequently asked questions
What makes a domain spoofable?
The absence of an enforcing DMARC policy (p=quarantine or p=reject). Without it, no standardised instruction tells receivers to reject or junk mail that fails SPF/DKIM checks. 89.4% of domains — 9 in 10 — are in this state as of 2026-06-29.
I publish SPF — can my domain still be spoofed? If nothing enforces, yes. SPF proves which mail is genuine; it doesn’t instruct receivers to reject the rest. The mechanism and the fix are covered in SPF without DMARC.
Does DMARC p=quarantine make my domain safe?
It moves you off this index: failed mail is junked rather than delivered to the inbox. p=reject goes further and refuses it outright — the strongest setting, and the recommended destination.
How do I make my domain unforgeable?
Fit all three locks — SPF, DKIM, and DMARC at p=reject — each a free DNS change. Fix your DMARC policy is the enforcement step that takes you off the index.
Check whether yours is one of the 9
Your domain is either on this index or off it, and the answer is free to get and free to change.
Check your domain → · Fix DMARC → · Fix SPF → · The most spoofable countries → · The protected few → · Aggregate data only. Data stored and processed in the EU.