We scanned 45k US domains. Only 17.5% can block impersonation.
A baseline analysis of DNS authentication across the world's largest commercial email namespace.
Domains analyzed
Missing DMARC
At p=reject
Average score
01
Executive summary
The United States represents the largest commercial email namespace in the world. With the widespread adoption of cloud-native business suites such as Microsoft 365 and Google Workspace, and with federal directive BOD 18-01 enforcing DMARC across civilian agencies since 2018, the country operates under far more mature authentication expectations than most of its peers. Our analysis of 45,353 US-hosted domains, however, reveals a persistent enforcement gap below the headline brands.
A regulated leader cohort demonstrates commendable discipline. Finance averages 61.1 out of 100 and Healthcare 55.6, both pulled up by explicit p=reject deployment at scale. The broader commercial namespace behaves differently. Nonprofit domains average 42.3, and the unclassified long tail, which comprises the majority of the dataset, averages 33.1. Across the full population, 44.4% of domains publish no DMARC record at all, leaving their users susceptible to direct domain spoofing, phishing, and business email compromise (BEC).
02
Methodology
Data was collected using the Authex Global Scanner framework during April 2026. The dataset comprises 45,353 active US-hosted domains. Geographic targeting combined MX record IP geolocation and WHOIS registration records to identify US-hosted domains across the open TLD namespace. Sector classification was derived from enrichment metadata: HTML page analysis, MX patterns, and known registrant categories. All scans were non-intrusive DNS queries (SPF, DKIM, DMARC, BIMI, MTA-STS, TLS-RPT).
Authex Scanner · N=45,353
03
Snapshot
04
Analysis
The enforcement plateau
True protection is only achieved at enforcement (p=quarantine or p=reject). In the US namespace, 17.5% of domains publish p=reject and 13.7% publish p=quarantine, a combined enforcement rate of 31.2%. A further 24.4% have deployed p=none for visibility but have not transitioned to enforcement. This is the familiar monitoring plateau, and it represents roughly a quarter of the entire US commercial namespace sitting on reports it is not acting on.
Chart 01 · Sector posture breakdown
Average Authex security score by major economic sector (0–100 scale).
Regulation drives the leaderboard
The sector hierarchy in the US data tracks regulatory pressure far more closely than it tracks firm size. Finance leads at 61.1, where obligations under FFIEC supervisory guidance and state-level cybersecurity rules such as NYDFS Part 500 have made DMARC a standard control. Government, constrained since 2018 by CISA Binding Operational Directive 18-01, posts 57.9. Healthcare, answering to HIPAA and CISA-issued healthcare sector alerts, follows at 55.6. Nonprofit, at 42.3, lags the regulated verticals by a margin large enough to be material. Sectors without a direct federal mandate consistently underperform those with one.
Chart 02 · DMARC policy distribution
DMARC policy distribution across the US namespace (N=45,353).
The long tail is the story
Because our methodology relies exclusively on public DNS record retrieval, we cannot observe raw email volume or blocked attacks. What we can observe is where rudimentary policy protection is absent. Finance shows 9.4% of its domains missing DMARC and Government 11.2%, both inside a reasonable band for a regulated vertical. Nonprofit sits at 38.0% missing, and the unclassified commercial majority at 53.1%. The enforcement ceiling among regulated sectors is no longer the binding constraint on US email security. The binding constraint is the middle of the distribution: mid-market businesses, small nonprofits, and unclassified commercial domains that have not adopted basic DMARC topologies at all.
05
Vanguards
Domains leading by example. Explicit, verified enforcement at the perimeter.
06
Cite this
Authex publishes empirical country and sector benchmarks on email authentication adoption. We scan millions of domains across the open Internet to urge the industry towards strict enforcement.
Reference
Authex (2026). US Email Security 2026.
Retrieved from https://authexlabs.com/research/us-2026Related reports
Where does your domain sit in the distribution?
Only 17.5% of US domains reach p=reject. The middle of the distribution — at p=quarantine — is doing most of the work. Run a free scan to see if you're a leader or a laggard.