Skip to content

Email Auth Q1 2026: Full Report

Key idea:

The measured data reveals the following key findings: the SPF record is present with a pass value of 78%, DKIM signing is active with a pass value of 54%, and the DMARC record is present with a pass value of 31%. Among DMARC adopters, 78% have a DMARC policy of p=none (monitor only), while 14% have a DMARC policy of p=quarantine. Full tables are provided below on this page.

Below: key findings, platform breakdown, implications, methodology, FAQ.

Check your site →

Key Findings

MetricPass/ValueMedianp75
SPF record present78%
DKIM signing active54%
DMARC record present31%
DMARC p=none (monitor only)78% of DMARC adopters
DMARC p=quarantine14%
DMARC p=reject (full enforce)8%
Full triad (SPF+DKIM+DMARC)28%
Passed Gmail/Yahoo 2024 requirements24%

Breakdown by Platform

PlatformShareDetail
Yandex Mail 360 (for domains)18%SPF+DKIM: auto, DMARC: manual
Mail.ru (business)12%SPF+DKIM: auto
Google Workspace8%SPF+DKIM: auto, DMARC: manual
Bitrix24 email6%SPF: 34% / DKIM: 12%
Mailgun/Sendgrid7%Full triad: 89%
Custom SMTP28%Full triad: 18%

Why It Matters

  • As of early 2024, without implementing DMARC, particularly the p=none policy, Gmail and Yahoo are likely to reject bulk senders.
  • Yandex.Mail since 2025 requires SPF+DKIM mandatory, DMARC recommended. Without — spam folder or reject
  • 78% DMARC adopters on p=none — that's not enforcement, attacker can still spoof
  • Custom SMTP without a professional email provider shows a significant challenge, as only a portion meets the requirements set by major platforms like GSuite and Yandex.
  • Quick win: setting up through Mailgun/Sendgrid enables the full triad configuration for a significant majority of users, streamlining the process compared to manual setups that can take much longer.

Methodology

List of 10k active RU domains (Mail.ru MX + Yandex.Mail MX + custom SMTP detection). DNS queries: SPF (TXT), DKIM (TXT with selector probing: default/google/mail/mandrill/s1/s2), DMARC (_dmarc.domain TXT). March 2026.

TL;DR: Understanding Email Authentication in Q1 2026

In Q1 2026, email authentication standards—SPF, DKIM, and DMARC—remain critical for ensuring email deliverability and preventing phishing attacks. As of January 2026, 78% of domains implement SPF, 54% use DKIM, and 31% have adopted DMARC policies. Proper configuration includes using a valid SPF record, signing emails with DKIM, and setting DMARC to 'reject' to enhance security. For example, a typical SPF record might look like: v=spf1 include:_spf.google.com ~all.

Comprehensive Analysis of SPF, DKIM, and DMARC Adoption

Email authentication is a fundamental aspect of email security, ensuring that messages are sent from legitimate sources. In Q1 2026, the landscape of SPF, DKIM, and DMARC adoption shows significant growth, reflecting an increasing awareness of the importance of email security.

SPF (Sender Policy Framework)

SPF allows domain owners to specify which IP addresses are authorized to send emails on their behalf. Currently, 78% of domains have implemented SPF records. This reflects a growing trend towards improved email security practices.

The syntax of an SPF record follows this structure:

v=spf1 ip4:192.0.2.0/24 include:_spf.example.com -all

In this example, the domain authorizes the IP range 192.0.2.0/24 and includes another domain’s SPF record.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to emails, enabling recipients to verify that the email was indeed sent by the claimed domain and that it has not been altered in transit. In Q1 2026, 78% of domains are using DKIM. This increase can be attributed to widespread awareness of phishing tactics and the necessity for data integrity.

A DKIM record typically looks like this:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB...

Here, 'p=' contains the public key that receiving servers use to verify the signature.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC builds on SPF and DKIM by adding a policy framework that tells receiving mail servers what to do if SPF or DKIM checks fail. Currently, a significant portion of domains have implemented DMARC, with a notable trend towards using the 'reject' policy to enhance email security.

A typical DMARC record is configured as follows:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensics@example.com

This record instructs mail servers to reject emails that fail authentication checks and to send aggregate and forensic reports to the specified email addresses.

Practical Example of Configuration

To implement SPF, DKIM, and DMARC effectively, follow these steps:

  1. SPF: Create an SPF record in your DNS settings. Use dig to verify:
dig TXT example.com
  1. DKIM: Generate a DKIM key pair. Publish the public key in your DNS, and configure your mail server to sign outgoing messages.
opendkim-genkey -s default -d example.com
  1. DMARC: Add a DMARC record to your DNS settings. Validate using:
dig TXT _dmarc.example.com

Monitoring these records is essential. Utilize tools like MXToolbox or dmarcian to analyze SPF, DKIM, and DMARC configurations, ensuring they are functioning as intended.

Conclusion

In summary, the adoption of SPF, DKIM, and DMARC is critical for the security and deliverability of emails. With 78% of organizations having an SPF record present, 54% actively signing with DKIM, and 31% implementing a DMARC record, it is essential for organizations to prioritize these protocols to protect against phishing attacks and ensure their communications are trusted. Regularly auditing and updating these records is essential to maintaining email integrity and security.

Public KeyDKIM key in DNS TXT record
Key LengthRSA-1024, 2048, or Ed25519
Quick TestDomain + selector = result
ValidationSyntax and parameters of DKIM TXT

Why teams trust us

DKIM
signature check
SPF
SPF + DMARC audit
DNS
TXT record check
Free
no limits

How it works

1

Enter domain and selector

2

Fetch DKIM TXT record

3

Validate public key

What is DKIM?

DKIM (DomainKeys Identified Mail) is a mechanism to digitally sign email with a key stored in DNS. This allows recipients to verify that the email was genuinely sent from the specified domain.

Selector-based Check

Specify domain and DKIM selector — get the public key and its parameters.

Key Analysis

RSA/Ed25519 key length, hash algorithm, flags, and validity period.

Recommendations

If key < 2048 bits — we issue a warning and key rotation instructions.

Instant Result

Direct DNS query in seconds — no waiting for TTL.

Who uses this

Email marketers

pre-send verification

Sysadmins

mail server setup

Security

phishing protection audit

Developers

email deliverability debug

Common Mistakes

Using 1024-bit key1024 bits is considered weak. Gmail and Outlook require at least 2048 bits.
Not rotating keysSame key for years — risk of compromise. Rotate keys every 6–12 months.
Wrong selectorEach ESP uses its own selector. Ensure the correct key is in DNS for each.
Not checking after ESP changeWhen changing email service, always verify the new provider's DKIM.

Best Practices

Use 2048-bit keysThis is the current recommended minimum. Ed25519 is a more modern alternative.
Set up DMARC with DKIMWithout DMARC, even correct DKIM signing doesn't protect from Display-From spoofing.
Check after migrationWhen changing DNS provider, DKIM records are often lost. Check immediately after.
Document all selectorsKeep a list of all DKIM selectors — useful during rotation and auditing.

Get more with a free account

DKIM check history and DNS monitoring for domain record changes.

Sign up free

Learn more

Frequently Asked Questions

What are Gmail/Yahoo 2024 requirements?

Since Feb 2024: senders of 5000+ emails/day to Gmail/Yahoo must have SPF + DKIM + DMARC (minimum p=none), one-click unsubscribe header, spam rate < 0.3%. Otherwise — throttling or reject.

Is DMARC p=none enough?

For Gmail 2024 — yes. But attackers can still spoof your domain (p=none is monitor-only). Goal: progress to p=quarantine → p=reject.

How to check my setup?

<a href="/en/dkim">Enterno DKIM/DMARC checker</a> scans SPF+DKIM+DMARC with one URL. Or mail-tester.com for a full email score.

Mailgun/Sendgrid vs self-SMTP?

For <10k emails/mo — self-SMTP works (with proper triad setup over 2-4 weeks). For scale or reliability — provider saves time and pain.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.