State of DNS & Email Security 2026: We Scanned 100 Domains
Why We Did This
We scanned 100 domains using IntoDNS.ai to understand the real state of DNS and email security in 2026. The sample includes Dutch government agencies, international tech companies, universities, security vendors, email providers, news media, and retail brands.
Every domain was scanned using the same methodology: 50+ security checks covering SPF, DKIM, DMARC, DNSSEC, MTA-STS, BIMI, IPv6, blacklists, and best practices. Each domain received a grade from A+ to F.
The results paint a clear picture: most organizations still have significant gaps in their email security configuration.
Overall Results: 60% Score D or F
Out of 100 domains scanned, the grade distribution is alarming:
**Grade Distribution:** - A+ — 0 domains (0%) - A — 2 domains (2%) - B — 17 domains (17%) - C — 21 domains (21%) - D — 50 domains (50%) - F — 10 domains (10%)
The average score across all 100 domains is **66.1%**, which translates to a D grade. Not a single domain achieved an A+ rating, meaning even the best-configured domains have room for improvement.
Zero domains scored A+ — even top-tier organizations miss at least one security standard.
Email Authentication Adoption
The good news: basic email authentication is widely adopted. The bad news: strict enforcement is not.
**Adoption rates (n=100):** - SPF records present: 95% - DMARC records present: 95% - DKIM configured: 85% - Full email auth (SPF + DKIM + DMARC): 85% - SPF with strict -all: 59% - DMARC with p=reject: 60% - Strict enforcement (SPF -all + DMARC reject): only 37%
This means 63% of domains have email authentication that looks good on paper but doesn't actually prevent spoofing. An attacker can still send phishing emails from these domains because the policies don't enforce rejection.
Having SPF and DMARC is not enough. You need SPF with -all and DMARC with p=reject for real protection.
Advanced Standards: MTA-STS, BIMI, DNSSEC
Newer email security standards show much lower adoption:
**Advanced feature adoption:** - DNSSEC: 46% (but 65% for .nl domains vs 28% for .com) - BIMI: 26% - MTA-STS: 20% - HTTP/3: 25% - CAA records: 50% - security.txt: 53% - IPv6 (website): 47%
MTA-STS is particularly concerning at only 20% adoption. Without MTA-STS, email connections can be downgraded to unencrypted, enabling man-in-the-middle attacks.
The .nl TLD dramatically outperforms .com on DNSSEC (65% vs 28%), reflecting the Dutch registry SIDN's long-standing push for DNSSEC adoption.
Rankings by Category
We grouped the 100 domains into 8 categories. The differences are striking:
**Average scores by category:** 1. Dutch Government — 86.9% 2. Universities — 71.7% 3. Dutch Companies — 66.1% 4. Email Providers — 66.1% 5. News/Media — 65.9% 6. Security Companies — 63.0% 7. International Tech — 59.5% 8. SMBs/Retail — 56.5%
Dutch government leads by a wide margin with 100% SPF, DMARC, and DNSSEC adoption across all 10 agencies scanned. Universities come in second with 100% email authentication.
Dutch government domains are a global benchmark for DNS security, scoring 20+ points above the average.
Surprising Findings
Several results challenged our expectations:
**Security companies average only 63%.** The companies selling security products don't always practice what they preach. One well-known antivirus vendor scored F (44%). Only 50% of security companies have DNSSEC enabled.
**Cloud giants score F.** AWS (42%), Azure (35%), and Google Cloud (39%) all scored F on their subdomain endpoints. These subdomains have zero email authentication configured, which is technically correct (they don't send email from those subdomains) but still reflects poor hygiene.
**Universities outperform tech companies.** Dutch universities average 71.7% vs international tech at 59.5%. Every university had full SPF, DKIM, and DMARC configured with 80% DNSSEC adoption.
**Only 37% have strict enforcement.** Despite 85% having all three authentication protocols, less than half actually enforce them strictly enough to prevent spoofing.
Top 10 and Bottom 10
**Best performing domains:** 1. overheid.nl — A (92%) 2. mijnoverheid.nl — A (90%) 3. cbs.nl — B (88%) 4. rijksoverheid.nl — B (88%) 5. kvk.nl — B (87%) 6. belastingdienst.nl — B (86%) 7. duo.nl — B (86%) 8. rivm.nl — B (85%) 9. uwv.nl — B (85%) 10. kpn.com — B (84%)
**Lowest scoring domains:** 1. buienradar.nl — F (34%) 2. azure.microsoft.com — F (35%) 3. cloud.google.com — F (39%) 4. aws.amazon.com — F (42%) 5. ovhcloud.com — F (43%)
The top 9 are all Dutch government agencies, confirming the Netherlands' position as a global leader in public sector DNS security.
What This Means for You
If you manage a domain, these findings suggest clear action items:
**Quick wins (implement this week):** - Check your DMARC policy — if it's p=none, upgrade to p=quarantine or p=reject - Switch SPF from ~all to -all for strict enforcement - Enable DKIM if you haven't already (most email providers support it)
**Medium-term (this month):** - Configure MTA-STS to enforce TLS on incoming email - Enable DNSSEC if your TLD and registrar support it - Set up BIMI for brand visibility in email clients
**Start now:** Scan your domain at https://intodns.ai to get your security grade and a prioritized list of fixes. It's free, takes 3 seconds, and requires no signup.