r/DMARC

▲ 17 r/DMARC+1 crossposts

Month two of measuring DMARC, MTA-STS, DANE, and BIMI across the top 1M domains. DANE adoption fell, and it came down to a single provider.

Last month I posted the baseline for this: a monthly measurement of how the top million domains actually deploy the four standards-track email-security protocols, DMARC, MTA-STS, DANE-for-SMTP, and BIMI. This is month two, so for the first time there are month-over-month deltas. I expected the change to be the interesting part. It was, in a way I didn't predict.

DANE was the only one of the four that went down. And it wasn't operators giving up on it. One provider, Migadu, removed the TLSA records for its entire customer fleet sometime in June. Around 500 domains that had DANE in June don't in July, still pointing at the same Migadu MX hosts, just with the TLSA records gone. Nobody on those domains touched a thing, and I doubt most of them know. Take Migadu out of the numbers and DANE grew like the rest.

That turned out to be the theme of the whole month: email security moves in provider-sized blocks, not one domain at a time. ALDI Süd switched on MTA-STS for eleven of its country domains in what was clearly one change. Of the 488 domains that gained DANE, 466 got it just by moving to a mail host that publishes it by default, mostly Cloudflare Email Routing. My favorite piece of that: about 60 of those domains are low-effort throwaways that clearly never gave email security a thought, and they picked up DANE the moment they switched hosts. The provider decided, not them.

The month-over-month changes, counting only domains present in both months (more on why in a second):

DMARC valid records: +2,282, and domains tightening their policy outnumbered those loosening it 2,488 to 567

DANE: down 249 as measured, but +258 once you remove the Migadu deletions

BIMI: +346

MTA-STS valid policy: +163, with 76 domains graduating from testing to enforce against 10 going the other way

On method, because the obvious objection to a monthly top-1M study is that the list itself churns: it does, about a quarter of it turns over every month. So I only compare domains that appear in both months. I also checked whether "leaving the list" means a domain actually changed something, and it doesn't. 48,000 domains dropped off the list in June and came back in July, and 98.5% of them had the exact same mail provider across the gap. Leaving the top 1M is a popularity-ranking dip, not a provider migration. Everything else from last month still holds: unfiltered resolvers only, a second resolver in a different region has to agree before anything is recorded, and the run is paced so we never throttle anyone.

One number I keep chewing on. If the current pace held, DMARC would reach nearly every domain by the early 2030s, while the two protocols that actually secure the connection between mail servers, MTA-STS and DANE, stay on a track that runs into the 2040s and beyond. Authenticating who sent the mail is on its way to universal. Protecting how it travels is more than a decade behind it. Real adoption curves flatten near the top so I wouldn't bet on the exact years, but the gap between the two is the thing worth watching.

Happy to get into the method, that's usually where these threads go. I run an email infrastructure company and this is our own research.

reddit.com
u/Ok_Philosophy_9766 — 3 days ago
▲ 9 r/DMARC

Two domains who use Proofpoint just started rejecting our emails citing DMARC

I've been concentrating on what I can do for our own DMARC status, so this came as something of a surprise. We're a Google Workspace customer and, so far as I know, our DKIM record is good--in fact, I just checked it in DNS. What could be causing this to happen so suddenly? What can I do about it?

reddit.com
u/Comfortable-Leg-2898 — 6 days ago
▲ 1 r/DMARC

Moving to reject before we're fully ready?

This is a follow up to this earlier post.

While I'm uncertain what triggered this issue, it's causing a fair amount of chaos for us. Not all our external email is bouncing, but enough is that it's become an issue.

My boss stopped by on his way home to ask about it. I explained what was going on and told him was that I'd been chipping away at non-compliant third-party senders but wasn't yet confident that we'd gotten them all, so that I wasn't sure we were ready to go to reject just yet.

He replied that we had to do something about it, with which I agreed. His thought, which I'd also had, was that we'd be ahead to go to reject now, given the number of bounces we were seeing. I added that we could send out an all-hands communication about it and ask, one more time, for people with third-party senders to contact us to configure them correctly.

What do you all think? I hate being hurried into big decisions, but this one is upon me.

reddit.com
u/Comfortable-Leg-2898 — 6 days ago
▲ 9 r/DMARC+3 crossposts

Domain has no DMARC/DKIN/SPF etc

Hi all I have started a new job several months ago in sales and I feel like I am being gaslighted by multiple employees and am hoping someone can clarify for me.

I have a client list of about 15,000 contacts and when I email them through my mail merge I have been getting maybe 3-4 replies, tops.

I check the open rates and they are good however recently I’ve read that is mostly vanity metrics as so many spam filters open the emails and even click links.

Recently I ran a diagnostic using MXtools on the domain and my email address.

I got several errors, no certificates for DMARC DKIN and SPF whatever that is ??

The diagnostic says this is causing my emails to go directly to spam.

Is this true ??

Our IT department says it’s not a big deal or necessary to have these things. But I’ve read not having them affects deliverables and also it allows scammers to spoof our emails (we definitely get that at this company.)

Not only that, but the marketing consultant on the other side of the country says that none of that matters at all and that I just need to get used to how difficult the marketing and sales is for this company.

Any advice is sorely needed - I feel very lied to about the reality of this situation and it’s greatly affecting my performance.

Also, when IT was asked to fix these issues, they said they would, they never did, and then when we tried again they admitted they had no access to the domain, that some other consultant has that info.

Mind you, that was the head of IT.

Does this not all seem a bit strange ?

We are a 90 million company, also.

reddit.com
u/Easy-Caterpillar-449 — 11 days ago
▲ 5 r/DMARC

DMARCbis Is Official: RFC 9989 Upgrades DMARC From Suggestion to Standard

The original RFC 7489 was published as an Informational document, meaning it described what the industry was already doing, not what it was required to do. DMARCbis arrives as a Proposed Standard on the IETF Standards Track — the first formal step toward becoming an Internet Standard. In plain terms: DMARC just graduated from “strong industry recommendation” to “official protocol.”

https://blog.kalfaoglu.net/posts/2026-06-22-dmarcbis-rfc-9989-proposed-standard-en/

reddit.com
u/Grumpy-Man19 — 11 days ago