The state of email enforcement 2026.
A multi-country benchmark of email authentication adoption, covering DMARC, SPF, DKIM, MTA-STS, TLS-RPT, and BIMI, published continuously as regional analyses are completed. Grounded in observed DNS, not surveys. Primary source.
Where the series stands today.
The series at a glance.
The four published reports converge on a single pattern: the binding constraint on email security is enforcement, not deployment. Click through any row for the full analysis.
| Region | No DMARC | At enforcement | Standout finding |
|---|---|---|---|
| Kenya 33,111 domains | 74% | <3% | The enforcement gap is structural across banking, telecom, and government. |
| United States Commercial namespace | 4% | 31.2% | The mid-market and unclassified commercial long tail is the binding constraint, not the regulated cohort. |
| United Kingdom Public sector + commercial | 5.4% (gov) | 90.2% (gov) | Bimodal: policy-driven public sector leads globally; SME commercial cohort lags. |
| Nonprofit (global) Cross-country sector cut | 46.4% | 6% | Widest measured gap inside a single sector; donor-impersonation risk is structural. |
“At enforcement” combines p=quarantine and p=reject. Figures sourced from each report’s primary analysis; see the report for confidence ranges and sector breakdowns.
Regional reports.
Each region is scoped, scanned, and analysed independently. We publish one country at a time so the data quality is the same in every report.
Kenya Email Security 2026
PublishedBaseline analysis of 33,111 active Kenyan domains. DMARC adoption, BIMI eligibility, SPF lookup distribution, and sector-level scoring across banking, telecom, government, and education.
India State of DMARC 2026
In DraftAssessment of the banking and federal sectors in the world's fastest-growing digital infrastructure. Expected publication Q3 2026; draft findings available on request under NDA.
Nigeria Financial Sector 2027
PlannedIsolated look at strict enforcement adoption among West Africa's top 500 financial institutions. Scheduled scan begins December 2026.
Themes emerging across regions.
Early patterns from the work so far. Final cross-regional conclusions land once India and Nigeria publish; these are the directional findings that the data already supports.
DMARC at p=reject is still rare
Across Kenya's 33,111 domains, fewer than 3% publish a DMARC record at enforcement. The gap between "has DMARC" and "enforces DMARC" is where most of the authentication problem actually sits.
BIMI readiness is a trailing indicator
BIMI requires p=quarantine or p=reject. Eligibility rates correlate almost perfectly with enforcement rates. The number of domains that could publish BIMI but don't is less interesting than the number that can't because they haven't enforced DMARC.
SPF PermError is a silent failure mode
A meaningful percentage of domains publish SPF records that exceed the 10-lookup limit when resolved recursively. These domains think SPF is passing; their DMARC reports say otherwise.
MTA-STS adoption is nearly zero in most sectors
Transport hardening remains an enthusiast concern. Sub-5% MTA-STS adoption across every sector measured so far. TLS-RPT is rarer still.
Covering the research.
Each regional report is independently citeable. Journalists on deadline can pull numbers from the published Kenya report today and flag the other regions as upcoming; we also make early summary figures available under embargo.
- Data in published reports is free to cite with attribution to Authex Labs or Authex Threat Intelligence.
- Raw scan outputs (domain lists, grades, protocol-level detail) available on request for academic research.
- Embargo access to the next regional report available for outlets covering email security or regional cyber policy.
How does your domain compare?
Authex Atlas ranks any domain against the 4M+ tracked in the live dataset. Scan yours in 30 seconds. Free. No signup.