By the numbers: DMARC and BIMI adoption in June 2023

Let's have some fun with numbers, shall we? Why don't we take a list of the top ten million domains (found various places online) and scan the DNS for each of them to look for DMARC records? Good thinking, because that's exactly what I just did!

Here's what I found.

Of the top ten million domains, about 1.1 million (11%) of them have published a DMARC record. I suspect good growth over time here, but I don't really have backward looking data to compare it to. We'll see how this grows over time.

Looking at the mix of DMARC policies being published, I see that about 61.5% publish "p=none," 20.5% publish "p=quarantine," and the remainder (about 18%) publish a "p=reject" policy. has tracked similar data -- though not the same data set, but compared to theirs, I'm seeing that a higher percentage of domains publishing a strong (aka "reject" or "quarantine") policy -- about 38.5% of the DMARC-using domains that I've checked, versus about 31.5% according to's data. Does this imply growth of strong DMARC policies? It's hard to say as the numbers aren't apples to apples, but it's at least a positive potential indicator.

Moving over to BIMI, the numbers are a lot smaller. Just under 14,000 of the top ten million domains publish a BIMI record, which is about .14% of domains queried. Should you consider this number small and underwhelming? I don't. Considering that the idea of BIMI was first announced in 2019 and the BIMI spec was only first shared as an IETF draft that same year, it seems impressive to me to think that the owners of nearly 14,000 domains have implemented a new technology so quickly.

While the BIMI spec initially touched on the verified mark certificate (VMC), it wasn't common for initial BIMI adopters to implement a VMC. Today, of the domains that have implemented BIMI, about 10.7% of them have implemented this certificate. I expect that will grow, thanks to Gmail and Apple both requiring VMC for their BIMI support.

There are limitations to my methodology -- I didn't try hard to invalidate incorrectly formatted DMARC or BIMI records, intermittent DNS issues might have lost a result or two along the way, I don't exactly know how accurate any list of "top ten million domains" truly is, and even if it is accurate as far as web traffic, that isn't the same as ranking by email volume sent or received. But, I hope this data will be a useful directional indicator of DMARC and BIMI growth over time.

While getting my hands dirty parsing and rolling up the data, I did notice quite a few broken DMARC and BIMI records. I'll try to highlight some of the common failures seen in a follow-up post. In the meantime, I remind you to always verify your DMARC or BIMI record to ensure that online tools can confirm that you've got it right.

Please feel free to share and/or republish this data, but please credit and link back to Spam Resource.

Post a Comment