We scanned 33k Kenyan domains. Only 2.2% can block impersonation.
A baseline analysis of DNS authentication across East Africa's leading digital economy.
Domains analyzed
Missing DMARC
At p=reject
Average score
01
Executive summary
Kenya represents one of the most rapidly digitizing economies in Sub-Saharan Africa. With the widespread adoption of mobile money platforms like M-Pesa and a growing e-commerce sector, the reliance on secure digital communications is higher than ever. However, our analysis of 33,111 Kenyan domains reveals a significant enforcement gap in email authentication.
A small leader cohort demonstrates commendable proactive security, most notably within the public-sector namespace on .go.ke, where the Communications Authority of Kenya has set a visible precedent at p=quarantine. The broader commercial namespace, however, remains heavily exposed. Over 74% of analyzed domains entirely lack DMARC alignment, leaving citizens and businesses susceptible to direct domain spoofing, phishing, and business email compromise (BEC).
02
Methodology
Data was collected using the Authex Global Scanner framework between April 1, 2026 and April 18, 2026. The dataset comprises 33,111 active domains. Geographic targeting was established via ccTLD filtering on the .ke namespace with enrichment via MX record IP geolocation and WHOIS registration data. All scans were non-intrusive DNS queries (SPF, DKIM, DMARC, BIMI, MTA-STS).
Authex Scanner · N=33,111
03
Snapshot
04
Analysis
The policy enforcement gap
Publishing a DMARC record is merely the first step. True security is only achieved at enforcement (p=quarantine or p=reject). In Kenya, the dominant obstacle sits even earlier in the journey: 74.6% of analyzed domains have yet to publish any DMARC record at all. Among the minority that have, a familiar “monitoring plateau” emerges. Roughly one in seven Kenyan domains has deployed p=none for visibility but has not transitioned to enforcement, typically due to the operational complexity of managing third-party senders.
Chart 01 · Sector posture breakdown
Average Authex security score by major economic sector (0–100 scale).
Authentication under the hood
When examining the raw protocol adoption, the risks become clearer. A staggering supermajority of the namespace lacks rudimentary policy protection, meaning the default action for spoofed mail relying on these domains depends entirely on the varying whims of receiving ESPs (Email Service Providers), rather than explicit domain owner intent.
Chart 02 · DMARC policy distribution
DMARC policy distribution across the Kenyan namespace (N=33,111).
Enforcement disparity across sectors
Because our methodology relies exclusively on public DNS record retrieval, we cannot observe raw email volume or blocked attacks. However, mapping the configuration states across different economic zones reveals clear, systemic gaps. Public-sector domains on .go.ke are meaningfully invested in progressing toward enforcement, whereas .ac.ke education and .or.ke nonprofit domains overwhelmingly lack basic DMARC topologies.
05
Vanguards
Domains leading by example. Explicit, verified enforcement at the perimeter.
06
Cite this
Authex publishes empirical country and sector benchmarks on email authentication adoption. We scan millions of domains across the open Internet to urge the industry towards strict enforcement.
Reference
Authex (2026). Kenya Email Security 2026.
Retrieved from https://authexlabs.com/research/kenya-2026Related reports
Move your domain out of the 74%.
Three in four Kenyan domains have no DMARC at all. Run a free scan to see where yours sits.