CONTINUOUS INTERNET TELEMETRY24H DRIFT3,258 material changesacross 2,837 domains · -140 vs yesterdayDNS DRIFT21 domains changed DNS providertop destination digicertdns.com + digicertdns.net · -6 vs yesterdayEMAIL DRIFT5 domains switched email providertop destination 365cool.com · -1 vs yesterdayCERT DRIFT8 domains switched issuing CA24h · +1 vs yesterdayNOW3,309 curated domains not answering-6,409 vs yesterdayERRORS10,960 responded with an errorlast probe · 5xx / 404 / 429 / 40324H DRIFT3,258 material changesacross 2,837 domains · -140 vs yesterdayDNS DRIFT21 domains changed DNS providertop destination digicertdns.com + digicertdns.net · -6 vs yesterdayEMAIL DRIFT5 domains switched email providertop destination 365cool.com · -1 vs yesterdayCERT DRIFT8 domains switched issuing CA24h · +1 vs yesterdayNOW3,309 curated domains not answering-6,409 vs yesterdayERRORS10,960 responded with an errorlast probe · 5xx / 404 / 429 / 403

Publishing DMARC is not enforcing it

Every "does it have DMARC?" audit treats a DMARC record as protection. It is not. p=none is monitoring mode: the domain publishes a policy that instructs the world to do nothing at all about mail forged in its name. It passes the checkbox and stops zero attacks. A sector can be almost fully "DMARC-adopted" and almost entirely unprotected, and nobody reports that, because reporting it means holding the policy and not just the presence of a record.

Across the 48,228 domains we have an email-auth reading for, 59% publish DMARC. 32% of those publish p=none, which enforces nothing.

tranco_40k 17,911 scanned
6,088 enforcing 3,640 p=none (enforces nothing) 8,183 no DMARC
54% publish DMARC. Of those, 37% are p=none, which enforces nothing.
tranco_20k 8,351 scanned
3,095 enforcing 1,516 p=none (enforces nothing) 3,740 no DMARC
55% publish DMARC. Of those, 33% are p=none, which enforces nothing.
push_legacy 7,380 scanned
3,439 enforcing 1,414 p=none (enforces nothing) 2,527 no DMARC
66% publish DMARC. Of those, 29% are p=none, which enforces nothing.
tranco_10k 3,934 scanned
1,443 enforcing 743 p=none (enforces nothing) 1,748 no DMARC
56% publish DMARC. Of those, 34% are p=none, which enforces nothing.
tranco_5k 2,616 scanned
915 enforcing 379 p=none (enforces nothing) 1,322 no DMARC
49% publish DMARC. Of those, 29% are p=none, which enforces nothing.
fortune_500 931 scanned
521 enforcing 131 p=none (enforces nothing) 279 no DMARC
70% publish DMARC. Of those, 20% are p=none, which enforces nothing.
tranco_1k 513 scanned
194 enforcing 39 p=none (enforces nothing) 280 no DMARC
45% publish DMARC. Of those, 17% are p=none, which enforces nothing.
manufacturing 376 scanned
218 enforcing 80 p=none (enforces nothing) 78 no DMARC
79% publish DMARC. Of those, 27% are p=none, which enforces nothing.
media_entertainment 373 scanned
221 enforcing 68 p=none (enforces nothing) 84 no DMARC
77% publish DMARC. Of those, 24% are p=none, which enforces nothing.
pharma_biotech 328 scanned
179 enforcing 75 p=none (enforces nothing) 74 no DMARC
77% publish DMARC. Of those, 30% are p=none, which enforces nothing.
fashion_luxury 305 scanned
194 enforcing 45 p=none (enforces nothing) 66 no DMARC
78% publish DMARC. Of those, 19% are p=none, which enforces nothing.
web3_defi 292 scanned
172 enforcing 28 p=none (enforces nothing) 92 no DMARC
68% publish DMARC. Of those, 14% are p=none, which enforces nothing.
education_expanded 291 scanned
171 enforcing 111 p=none (enforces nothing) 9 no DMARC
97% publish DMARC. Of those, 39% are p=none, which enforces nothing.
consulting 288 scanned
202 enforcing 38 p=none (enforces nothing) 48 no DMARC
83% publish DMARC. Of those, 16% are p=none, which enforces nothing.
hospitality 287 scanned
151 enforcing 48 p=none (enforces nothing) 88 no DMARC
69% publish DMARC. Of those, 24% are p=none, which enforces nothing.
automotive 278 scanned
138 enforcing 55 p=none (enforces nothing) 85 no DMARC
69% publish DMARC. Of those, 28% are p=none, which enforces nothing.
cybersecurity_expanded 270 scanned
181 enforcing 29 p=none (enforces nothing) 60 no DMARC
78% publish DMARC. Of those, 14% are p=none, which enforces nothing.
fintech_expanded 261 scanned
186 enforcing 27 p=none (enforces nothing) 48 no DMARC
82% publish DMARC. Of those, 13% are p=none, which enforces nothing.
sports_entertainment 254 scanned
115 enforcing 55 p=none (enforces nothing) 84 no DMARC
67% publish DMARC. Of those, 32% are p=none, which enforces nothing.
insurance 253 scanned
132 enforcing 35 p=none (enforces nothing) 86 no DMARC
66% publish DMARC. Of those, 21% are p=none, which enforces nothing.
non_profit 237 scanned
132 enforcing 52 p=none (enforces nothing) 53 no DMARC
78% publish DMARC. Of those, 28% are p=none, which enforces nothing.
energy 235 scanned
121 enforcing 30 p=none (enforces nothing) 84 no DMARC
64% publish DMARC. Of those, 20% are p=none, which enforces nothing.
construction 219 scanned
111 enforcing 41 p=none (enforces nothing) 67 no DMARC
69% publish DMARC. Of those, 27% are p=none, which enforces nothing.
telecom 204 scanned
104 enforcing 45 p=none (enforces nothing) 55 no DMARC
73% publish DMARC. Of those, 30% are p=none, which enforces nothing.
government_expanded 194 scanned
113 enforcing 37 p=none (enforces nothing) 44 no DMARC
77% publish DMARC. Of those, 25% are p=none, which enforces nothing.
logistics_expanded 181 scanned
81 enforcing 41 p=none (enforces nothing) 59 no DMARC
67% publish DMARC. Of those, 34% are p=none, which enforces nothing.
real_estate_expanded 181 scanned
91 enforcing 42 p=none (enforces nothing) 48 no DMARC
73% publish DMARC. Of those, 32% are p=none, which enforces nothing.
legal_expanded 173 scanned
103 enforcing 26 p=none (enforces nothing) 44 no DMARC
75% publish DMARC. Of those, 20% are p=none, which enforces nothing.
agriculture 168 scanned
70 enforcing 27 p=none (enforces nothing) 71 no DMARC
58% publish DMARC. Of those, 28% are p=none, which enforces nothing.
aerospace 157 scanned
78 enforcing 34 p=none (enforces nothing) 45 no DMARC
71% publish DMARC. Of those, 30% are p=none, which enforces nothing.
crypto 63 scanned
58 enforcing 4 p=none (enforces nothing) 1 no DMARC
98% publish DMARC. Of those, 6% are p=none, which enforces nothing.
big_tech 57 scanned
53 enforcing 3 p=none (enforces nothing) 1 no DMARC
98% publish DMARC. Of those, 5% are p=none, which enforces nothing.
fintech 54 scanned
47 enforcing 5 p=none (enforces nothing) 2 no DMARC
96% publish DMARC. Of those, 10% are p=none, which enforces nothing.
misc 54 scanned
15 enforcing 6 p=none (enforces nothing) 33 no DMARC
39% publish DMARC. Of those, 29% are p=none, which enforces nothing.
devops 47 scanned
37 enforcing 4 p=none (enforces nothing) 6 no DMARC
87% publish DMARC. Of those, 10% are p=none, which enforces nothing.
security 47 scanned
47 enforcing 0 p=none (enforces nothing) 0 no DMARC
100% publish DMARC. Of those, 0% are p=none, which enforces nothing.
email_comms 44 scanned
37 enforcing 6 p=none (enforces nothing) 1 no DMARC
98% publish DMARC. Of those, 14% are p=none, which enforces nothing.
languages 44 scanned
21 enforcing 13 p=none (enforces nothing) 10 no DMARC
77% publish DMARC. Of those, 38% are p=none, which enforces nothing.
dev_tools 43 scanned
37 enforcing 2 p=none (enforces nothing) 4 no DMARC
91% publish DMARC. Of those, 5% are p=none, which enforces nothing.
media 43 scanned
29 enforcing 8 p=none (enforces nothing) 6 no DMARC
86% publish DMARC. Of those, 22% are p=none, which enforces nothing.
data_analytics 41 scanned
30 enforcing 7 p=none (enforces nothing) 4 no DMARC
90% publish DMARC. Of those, 19% are p=none, which enforces nothing.
ai_ml 40 scanned
31 enforcing 6 p=none (enforces nothing) 3 no DMARC
93% publish DMARC. Of those, 16% are p=none, which enforces nothing.
ecommerce 35 scanned
29 enforcing 5 p=none (enforces nothing) 1 no DMARC
97% publish DMARC. Of those, 15% are p=none, which enforces nothing.
infrastructure 33 scanned
14 enforcing 7 p=none (enforces nothing) 12 no DMARC
64% publish DMARC. Of those, 33% are p=none, which enforces nothing.
cloud 31 scanned
24 enforcing 2 p=none (enforces nothing) 5 no DMARC
84% publish DMARC. Of those, 8% are p=none, which enforces nothing.
developer 31 scanned
7 enforcing 2 p=none (enforces nothing) 22 no DMARC
29% publish DMARC. Of those, 22% are p=none, which enforces nothing.
cms 30 scanned
25 enforcing 4 p=none (enforces nothing) 1 no DMARC
97% publish DMARC. Of those, 14% are p=none, which enforces nothing.
banks 25 scanned
25 enforcing 0 p=none (enforces nothing) 0 no DMARC
100% publish DMARC. Of those, 0% are p=none, which enforces nothing.
government 25 scanned
16 enforcing 3 p=none (enforces nothing) 6 no DMARC
76% publish DMARC. Of those, 16% are p=none, which enforces nothing.

CAA: naming which authorities may issue a certificate

CAA is an issuance allowlist: it names which certificate authorities are allowed to issue a certificate for a domain, which is a real defense against mis-issuance. There is a catch worth knowing: a CAA record that carries only an iodef reporting address restricts nobody - any CA can still issue - even though it passes a simple "has CAA?" check. So the number that matters is not who publishes CAA, but who actually constrains issuance.

6,930actually restrict who may issue
201publish CAA that restricts nobody
10forbid all issuance (issue ";")
41,435publish no CAA at all

Of 48,576 domains we have a reading for, 15% publish any CAA, and 3% of those constrain no one.

security.txt: publishing where to report a problem, and keeping it current

RFC 9116 asks a domain to publish where to report a vulnerability, and makes an Expires date mandatory - so a stale file cannot sit there forever pointing at an inbox nobody reads. An expired security.txt can be worse than none: it points a researcher at a contact the organisation may no longer be watching.

947publish a security.txt
124of those have EXPIRED (13%)
8,018publish none
1,359refused our read (unknown, not "none")

Read for 10,324 domains so far, and climbing as enrichment sweeps the catalog.

Computed only over domains we have actually taken an email-auth reading for. A domain we have not scanned for this is unknown, never "has no DMARC" - absence of evidence is not evidence of absence, and here that is the difference between a finding and a smear. Sectors under 25 observed domains are omitted: below that the percentages are noise. Every figure comes from a signed observation you can re-verify.