Defaults.Exposed › SPF
SPF: adoption, strength, and the spoofability gap
Data as of 2026-06-29 · methodology v7 · aggregate only
138.9 million domains publish an SPF record — but publishing isn't protecting. On our 100-point SPF Strength scale the internet scores 29, an average maturity of stage 2.39 of 6. Most records climb to "maybe" and stop.
SPF only rejects a forgery at its strict ending (-all) — or when an enforcing DMARC policy acts on the softfail. 55.8% of records end in ~all (softfail); only 39.3% end in -all. That gap — published but not enforcing — is the largest population in email security.
The SPF Adoption Maturity Model (SPFAMM)
Six stages, one move each, and a single investigative wall at Stage 3 → 4. Where DAMM measures the DMARC journey, SPFAMM measures the SPF one: from no allow-list, through the toothless middle, to a strict record that DMARC can act on.
- Stage 1 — None: no SPF record — 46% of all graded domains (121.1M).
- Stage 2 — Broken/permissive: multiple records,
+all, neutral or no terminal (7.8M). - Stage 3 — Softfail: ends in
~allbut nothing enforces it — the modal resting place (70.4M). - Stage 4 — Strict: ends in
-all, parses cleanly, under the 10-lookup limit (42.5M). - Stage 5 — Aligned: strict or softfail with an enforcing DMARC policy behind it (19.3M).
- Stage 6 — Fully protected: the aligned, enforced few (10.1M).
The wall is Stage 3 → 4: every other move is a one-line DNS edit; this one means enumerating every system that sends as you without blowing the 10-lookup limit. That is why softfail is where the internet rests.
Read the data
- The SPF Adoption Maturity Model (SPFAMM)
The 6 stages of SPF, and the investigative wall at Stage 3→4 where most of the internet stops. - ~all vs -all: what 139M records chose
Softfail is the modal ending: 55.8% end in ~all ("probably fake — deliver anyway") vs 39.3% in strict -all. - The SPF PermError Report
797,263 domains silently break their own SPF by crossing the 10-lookup limit — 100× more than surface counts show. - Two SPF records = none
1,013,416 domains publish two or more SPF records — the rule voids all of them. - The ptr trap
A mechanism discouraged since 2014, still in 950,631 records. - The +all map
36,015 domains publish +all — an open invitation to send as them. - Which email provider gives the strongest SPF defaults?
A 15-provider league of strict-SPF and enforcement rates — your provider writes your default. - The Email Spoofability Index
How many domains can anyone forge — by TLD and country.
Check your own domain
Check your domain — free, 30 seconds →
See the fix guide: How to fix SPF → · Aggregate data only. Data stored and processed in the EU.