Defaults.Exposed

Defaults.Exposed › Reports

The SPF Adoption Maturity Model (SPFAMM): The 6 Stages of SPF (2026)

Published 2026-07-03

Figures as of 2026-06-29 · methodology v7. A reference model backed by a recurring census of 261 million graded domains; each edition re-measures the same population so the numbers can be tracked over time. All figures are aggregate — we never publish an individual business’s record.

What stage is the internet at?

Stage 2.4 of 6. Measured across 261 million domains, the average domain has not yet reached a working SPF fence — and the internet as a whole scores 29 out of 100 on SPF strength. Publishing SPF is the most common act of email security there is (53.21% of domains do it), yet most of those records stop at a setting that asks receivers to deliver forgeries anyway.

The problem isn’t adoption — it’s that most maturity guidance stops at “we published SPF”, as if the record itself were the achievement. An SPF record can authorise the entire internet, express no opinion, quietly void itself, or sit at softfail forever because tightening it means work nobody scheduled. A useful model names each of those states. This one does: the SPF Adoption Maturity Model — SPFAMM, six stages, one move each, and a name you can cite. It is the SPF companion to the six stages of DMARC maturity.

What are the six stages of SPF maturity?

Every one of the 261 million graded domains sits at exactly one of stages 1–5, and those five populations sum to the census total precisely; stage 6 is the hardened subset counted within stage 5. That’s what makes SPFAMM a measurement rather than a poster.

StageNameDomainsShare
1Unprotected121,145,60946.4%
2Permissive or broken7,798,3663.0%
3Soft-fenced70,368,60027.0%
4Strict42,514,53216.3%
5Aligned19,259,1257.4%
6Hardened10,092,4813.87%

(Stage 6 is the hardened subset of Stage 5’s aligned domains, so stages 1–5 partition the census and stage 6 sits inside stage 5.)

Stage 1 — Unprotected. No v=spf1 record. No receiver checks anything; forging the domain on the SPF leg is easy. The move: publish a v=spf1 record listing your real senders, ending in a fail qualifier.

Stage 2 — Permissive or broken. A record exists but protects nothing. This stage collects the toothless endings — ?all neutral (3.0% of publishers) and the +all welcome mat — together with the broken records: multiple v=spf1 records, which the standard voids entirely, and fragmentary records with no usable ending. One carve-out: about 2.1 million records end in redirect=, which is valid delegation — their real policy lives at the target, and we count them here only because their own record carries no verdict. The move: one record, one real ending — ~all or -all.

Stage 3 — Soft-fenced. The record ends in ~all (softfail) with nothing enforcing behind it — 70.4 million domains, the largest population of any published-SPF stage. Softfail is a real fence with an unlocked gate: it tells receivers “mail from elsewhere is probably forged”, and asks them to deliver it anyway. The move: climb the wall — account for every sender, then take either route up (below).

Stage 4 — Strict. The record ends in -all: 42.5 million domains publishing an outright “reject everyone else”, with no DMARC enforcement behind it yet. One honest caveat our own measurement now quantifies: a -all record that exceeds the 10-lookup limit is void no matter how strict it looks — at least 112,215 of the internet’s -all records are in that state. The move: put an enforcing DMARC policy behind the record, so failures are acted on everywhere.

Stage 5 — Aligned. SPF — soft or strict — sits behind DMARC p=quarantine or p=reject. This is the stage where spoofing your exact domain actually stops at every major mailbox provider: 19.3 million domains, of which 7.1 million pair ~all with enforcement (the pattern Google’s sender guidelines recommend) and 12.1 million pair -all with it. The move: add DKIM and keep watching — records rot.

Stage 6 — Hardened. SPF plus DKIM plus enforcing DMARC — the fully protected set, 10,092,481 domains, 3.87% of the internet — plus the discipline of monitoring for drift: include: chains change, providers move IPs, someone connects a new tool that sends as you. The move: stay here. It’s a practice, not a badge.

The no-mail lane. A domain that sends no mail can jump to the top in one edit: SPF -all plus DMARC p=reject. Nothing legitimate to protect means no wall to climb — and it closes one of the most common impersonation vectors there is.

Why is Stage 3 where the internet stalls?

Because almost every other move is a small DNS edit, and the move out of Stage 3 is work: enumerating every system that legitimately sends as you — mailbox provider, newsletter platform, CRM, invoicing tool, the thing marketing signed up last spring — and fitting them into one record without blowing the 10-lookup budget. That’s the wall. ~all is the last rung reachable without doing it, which is why 70.4 million domains rest there.

From the top of the wall there are two routes up, and both arrive at Stage 5:

The census shows how rarely either route gets finished: of the 77.5 million softfail records, only 7.1 million — about 1 in 11 — have enforcement behind them.

How is the SPF Strength Score calculated?

Simply, and we hold the weights constant so the score is comparable month to month: full credit for domains where something enforces (stages 5–6), half credit for a real fence nobody acts on (stages 3–4), nothing for absent, permissive or broken records. On that scale the internet scores 29/100 as of 2026-06-29. Nearly half the population contributes zero because it publishes nothing at all.

How do I find my domain’s stage?

Stages 1–4 are readable straight from your DNS record; stage 5 adds your DMARC policy; stage 6 adds DKIM. The one thing a glance can’t tell you is whether a strict record is secretly over the lookup limit — that takes resolving the chain, which our checker does for you.

Frequently asked questions

What is SPFAMM? The SPF Adoption Maturity Model — the six-stage model on this page: Unprotected, Permissive/broken, Soft-fenced, Strict, Aligned, Hardened. Every domain’s stage is computable from its DNS: stages 1–5 partition the 261 million-domain census exactly, and stage 6 is the hardened subset within stage 5.

What stage are most domains at? Stage 1 — 46.4% of domains publish no SPF at all. Among domains that do publish, Stage 3 (softfail without enforcement) is the most common resting place, with 70.4 million domains. The population-weighted average is stage 2.4.

Is ~all softfail good enough? Only with an enforcing DMARC policy behind it — that pairing is Stage 5 and the pattern Google’s sender guidelines recommend. On its own it’s Stage 3: real fence, unlocked gate. The full comparison is in ~all vs -all.

Do I have to reach -all to be safe? No. Stage 4 is one of two routes, not a requirement — keeping ~all and enforcing with DMARC p=reject arrives at the same protection at DMARC-evaluating receivers. What is required is the wall: knowing every sender before anything enforces.

How many domains complete all six stages? 10,092,481 — 3.87% of the internet — hold SPF, DKIM and an enforcing DMARC policy together. Every stage transition is free; the details are in the protected few.

Check where your domain stands

Your domain is at exactly one of these six stages, and the next move is knowable in 30 seconds — free, and every fix along the ladder is a DNS change, not a purchase.

Check your domain → · Fix SPF → · ~all vs -all · The SPF PermError report → · The 6 stages of DMARC maturity → · Aggregate data only. Data stored and processed in the EU.