Email Authentication Failure Rates: SPF, DKIM, and DMARC Across 10,000 Domains
Analysis of 10,000 B2B sending domains reveals that 34.2% lack a valid DMARC record, 18.7% have SPF misconfigurations, and only 52.6% have all three authentication protocols correctly configured. Domains with full authentication achieve 94.3% inbox placement compared to 68.1% for unauthenticated senders.
Research Summary: This study analyzed DNS records and authentication configurations across 10,000 B2B sending domains between September 2025 and February 2026. We found that 34.2% of domains lack a valid DMARC record, 18.7% have SPF misconfigurations that cause authentication failures, and only 52.6% of domains have all three protocols (SPF, DKIM, DMARC) correctly configured. Domains with complete, correct authentication achieved a 94.3% average inbox placement rate, compared to 68.1% for domains missing one or more protocols. The most common misconfiguration was exceeding the SPF 10-DNS-lookup limit, affecting 11.3% of all domains studied.
Background and Motivation
Email authentication protocols — SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) — form the technical foundation of email deliverability. Despite being established standards for over a decade, adoption and correct configuration remain inconsistent across B2B sending domains. Previous studies have documented adoption rates in aggregate, but few have examined the specific misconfiguration patterns that cause authentication failures even when records are present.
This study was motivated by a practical question: among domains that attempt to configure authentication, how many succeed? And what measurable impact do specific misconfiguration types have on inbox placement?
Methodology
Domain Selection
We compiled a list of 10,000 B2B sending domains from three sources:
- Active outbound senders: 4,200 domains identified from email headers in B2B inboxes across 15 industries (technology, finance, healthcare, manufacturing, professional services, marketing, real estate, legal, education, logistics, retail, energy, consulting, media, and telecommunications)
- SaaS company domains: 3,100 domains from publicly listed SaaS companies with known outbound sales teams
- SMB sender domains: 2,700 domains from small and mid-size businesses actively sending B2B email, sourced from opt-in sender lists
Domains were deduplicated and filtered to exclude domains with no MX records (non-sending domains). The final dataset comprised 10,000 unique sending domains.
Data Collection
For each domain, we performed automated DNS lookups to retrieve:
- SPF records (TXT records starting with
v=spf1) - DKIM selectors (checked 14 common selectors:
google,default,selector1,selector2,k1,k2,dkim,mail,smtp,mandrill,ses,postmark,sendgrid,mxroute) - DMARC records (TXT records at
_dmarc.domain)
For inbox placement measurement, we sent authentication test emails from a subset of 2,400 domains (with owner permission) to seed accounts at Gmail, Outlook, and Yahoo over a 30-day period. Each domain sent 50 test messages (structured as typical B2B outreach) to measure placement rates.
Classification Criteria
Records were classified as:
- Valid: Syntactically correct, no conflicting records, passes automated validation
- Present but misconfigured: Record exists but contains errors (e.g., exceeding lookup limits, syntax errors, conflicting records)
- Absent: No record found
Results: Authentication Adoption Rates
SPF Adoption
| SPF Status | Count | Percentage |
|---|---|---|
| Valid SPF record | 7,260 | 72.6% |
| Present but misconfigured | 1,870 | 18.7% |
| No SPF record | 870 | 8.7% |
Of the 18.7% with misconfigured SPF, the most common errors were:
| SPF Error Type | Frequency (of misconfigured) | % of All Domains |
|---|---|---|
| Exceeding 10-DNS-lookup limit | 60.4% | 11.3% |
| Multiple SPF records (conflicting TXT) | 16.0% | 3.0% |
| Syntax errors (missing mechanisms) | 10.7% | 2.0% |
| Overly permissive (+all) | 7.5% | 1.4% |
| Deprecated PTR mechanism | 5.4% | 1.0% |
The 10-DNS-lookup limit was the single largest source of SPF failures. Domains using multiple email service providers (e.g., Google Workspace + a marketing platform + a transactional sender) frequently exceeded this limit without administrators being aware.
DKIM Adoption
| DKIM Status | Count | Percentage |
|---|---|---|
| Valid DKIM selector found | 7,830 | 78.3% |
| DKIM selector present but misconfigured | 640 | 6.4% |
| No DKIM selector detected | 1,530 | 15.3% |
DKIM misconfiguration was less common than SPF misconfiguration, likely because DKIM setup is typically handled by the email service provider rather than manually configured. The most common DKIM issues were:
- Key length below 1024 bits: 41.9% of misconfigured (using deprecated 512-bit keys)
- Expired or rotated keys without DNS update: 32.8% of misconfigured
- Incorrect selector-domain pairing: 25.3% of misconfigured
Note: DKIM detection is limited by selector enumeration. Some domains may have valid DKIM with non-standard selectors not included in our 14-selector check. We estimate this could affect 2–4% of "absent" classifications.
DMARC Adoption
| DMARC Status | Count | Percentage |
|---|---|---|
| Valid DMARC record | 5,940 | 59.4% |
| Present but misconfigured | 640 | 6.4% |
| No DMARC record | 3,420 | 34.2% |
DMARC had the lowest adoption rate of the three protocols. Among domains with valid DMARC, the policy distribution was:
| DMARC Policy | % of Valid DMARC Records |
|---|---|
| p=none (monitoring only) | 54.7% |
| p=quarantine | 27.1% |
| p=reject | 18.2% |
Over half of domains with DMARC deployed it in monitoring-only mode, meaning it provides reporting but does not instruct receiving servers to take action on authentication failures.
Combined Authentication Status
| Configuration | Count | Percentage |
|---|---|---|
| All three valid (SPF + DKIM + DMARC) | 5,260 | 52.6% |
| Two of three valid | 2,710 | 27.1% |
| One valid | 1,370 | 13.7% |
| None valid | 660 | 6.6% |
Results: Impact on Inbox Placement
Among the 2,400-domain inbox placement subset, we measured average inbox placement rates (across Gmail, Outlook, and Yahoo combined) segmented by authentication status:
| Authentication Status | Avg Inbox Placement | Gmail | Outlook | Yahoo |
|---|---|---|---|---|
| All three valid | 94.3% | 95.1% | 93.8% | 93.2% |
| SPF + DKIM valid, no DMARC | 87.6% | 88.2% | 87.9% | 85.4% |
| SPF valid only | 76.2% | 74.8% | 78.1% | 74.3% |
| DKIM valid only | 78.9% | 80.3% | 77.2% | 78.0% |
| No valid authentication | 68.1% | 64.3% | 71.8% | 66.7% |
The gap between fully authenticated domains (94.3%) and unauthenticated domains (68.1%) represents a 26.2 percentage-point difference in inbox placement. The addition of DMARC on top of SPF+DKIM accounted for a 6.7 percentage-point improvement (87.6% to 94.3%).
Provider-Specific Patterns
Gmail showed the largest penalty for missing authentication: domains with no valid protocols achieved only 64.3% inbox placement at Gmail, compared to 71.8% at Outlook. This aligns with Google's February 2024 enforcement of authentication requirements for bulk senders, which has progressively tightened through 2025–2026.
Yahoo showed the steepest improvement from adding DMARC: domains with SPF+DKIM but no DMARC placed at 85.4% at Yahoo, jumping to 93.2% with DMARC added — a 7.8 percentage-point gain, consistent with Yahoo's co-announcement of authentication requirements alongside Gmail in 2024.
Results: Misconfiguration Frequency by Domain Size
We segmented domains by estimated company size (based on publicly available employee data):
| Company Size | All Three Valid | SPF Misconfigured | No DMARC |
|---|---|---|---|
| Enterprise (1000+ employees) | 71.4% | 12.1% | 18.3% |
| Mid-market (100–999) | 56.8% | 17.4% | 30.2% |
| SMB (10–99) | 41.2% | 22.6% | 43.8% |
| Micro (<10 employees) | 29.7% | 24.1% | 56.4% |
Smaller organizations showed significantly lower authentication compliance, likely reflecting limited IT resources and DNS management expertise. SPF misconfiguration rates increased as company size decreased, with micro-businesses (under 10 employees) showing a 24.1% SPF misconfiguration rate — double that of enterprises.
Discussion
The finding that only 52.6% of B2B sending domains have all three authentication protocols correctly configured is notable given that SPF, DKIM, and DMARC have been recommended standards for years. The 26.2 percentage-point inbox placement gap between fully authenticated and unauthenticated domains represents a substantial deliverability cost for organizations that have not invested in correct configuration.
The dominance of the SPF 10-lookup-limit error (affecting 11.3% of all domains) suggests a systemic issue: as organizations adopt more email-sending services, their SPF records grow beyond the protocol's designed capacity. This is a configuration that may have been valid when initially set up but degrades over time as new include: mechanisms are added. Organizations frequently add SPF includes for new services (marketing automation platforms, transactional email providers, CRM-triggered sends) without auditing the cumulative lookup count. When the 10-lookup limit is exceeded, SPF evaluation returns a permerror result, which many receiving servers treat as an SPF failure — functionally equivalent to having no SPF record at all.
The prevalence of p=none DMARC policies (54.7% of DMARC-enabled domains) indicates that many organizations have started the DMARC deployment process but have not advanced to enforcement. While p=none provides valuable reporting data, it does not instruct mailbox providers to act on authentication failures, limiting its protective value. Organizations often remain at p=none indefinitely because advancing to p=quarantine or p=reject requires identifying and authenticating all legitimate sending sources — a task that grows increasingly complex in organizations with multiple departments sending email through different platforms.
The company-size disparity in authentication compliance (71.4% for enterprises versus 29.7% for micro-businesses) highlights a resource gap. Enterprise organizations typically have dedicated IT or email operations teams who manage DNS records and monitor authentication. Smaller organizations often configure authentication once during initial setup and never revisit it, even as their email infrastructure evolves.
Limitations
- DKIM selector coverage: Our 14-selector enumeration does not capture all possible DKIM configurations. Domains using custom selectors may be misclassified as lacking DKIM.
- Point-in-time measurement: DNS records change. Our analysis reflects configurations as of the collection period (September 2025 – February 2026) and may not reflect subsequent changes.
- Inbox placement subset: The 2,400-domain placement test is a subset of the full 10,000. Selection was based on sender willingness to participate, which may introduce bias toward more sophisticated senders.
- Confounding variables: Inbox placement is affected by many factors beyond authentication (sending volume, content, engagement history, IP reputation). While authentication status showed a clear correlation, we did not fully control for all confounding variables.
- Industry representation: Our domain selection methodology may over-represent technology and SaaS companies relative to the broader B2B sending population.
Key Takeaways
- Only 52.6% of B2B domains have complete, correct authentication (SPF + DKIM + DMARC all valid).
- The SPF 10-lookup limit is the most common misconfiguration, affecting 11.3% of all domains studied. Organizations using multiple email service providers should audit their SPF record for lookup count.
- DMARC remains the least-adopted protocol at 59.4% valid adoption, with 34.2% of domains having no DMARC record at all.
- Full authentication correlates with a 94.3% inbox placement rate, compared to 68.1% for domains with no valid authentication — a 26.2 percentage-point gap.
- Gmail applies the steepest penalty for missing authentication, consistent with its 2024 sender requirements enforcement.
- Smaller organizations are disproportionately affected: micro-businesses show a 29.7% full-authentication rate compared to 71.4% for enterprises.
Study Period: September 2025 – February 2026
Sample Size: 10,000 B2B sending domains (2,400-domain inbox placement subset)
Author: Sarah Mitchell
Last Updated: March 10, 2026