Defaults.Exposed

Defaults.Exposed › SPF

SPF: adoption, strength, and the spoofability gap

Data as of 2026-06-29 · methodology v7 · aggregate only

138.9 million domains publish an SPF record — but publishing isn't protecting. On our 100-point SPF Strength scale the internet scores 29, an average maturity of stage 2.39 of 6. Most records climb to "maybe" and stop.

SPF only rejects a forgery at its strict ending (-all) — or when an enforcing DMARC policy acts on the softfail. 55.8% of records end in ~all (softfail); only 39.3% end in -all. That gap — published but not enforcing — is the largest population in email security.

The SPF Adoption Maturity Model (SPFAMM)

Six stages, one move each, and a single investigative wall at Stage 3 → 4. Where DAMM measures the DMARC journey, SPFAMM measures the SPF one: from no allow-list, through the toothless middle, to a strict record that DMARC can act on.

  1. Stage 1 — None: no SPF record — 46% of all graded domains (121.1M).
  2. Stage 2 — Broken/permissive: multiple records, +all, neutral or no terminal (7.8M).
  3. Stage 3 — Softfail: ends in ~all but nothing enforces it — the modal resting place (70.4M).
  4. Stage 4 — Strict: ends in -all, parses cleanly, under the 10-lookup limit (42.5M).
  5. Stage 5 — Aligned: strict or softfail with an enforcing DMARC policy behind it (19.3M).
  6. Stage 6 — Fully protected: the aligned, enforced few (10.1M).

The wall is Stage 3 → 4: every other move is a one-line DNS edit; this one means enumerating every system that sends as you without blowing the 10-lookup limit. That is why softfail is where the internet rests.

Read the data

Check your own domain

Check your domain — free, 30 seconds →

See the fix guide: How to fix SPF → · Aggregate data only. Data stored and processed in the EU.