Fun with data: DMARC at top 100 MBP domains

I've got just a tiny slice of data for you today. I took the top 100 (US) mailbox provider domains, as measured by mail sent to them, and looked for DMARC records. Do they have a DMARC record? And if so, what is the DMARC policy?

Things look good from this angle. Seventy of those top 100 domains do indeed have some sort of DMARC policy in place. Of those that have a DMARC policy in place, just over 60% of those domains have a restrictive (p=quarantine or p=reject policy).

This is particularly timely given that Gmail's upcoming requirements say you should not impersonate (send as) in your from address. Based on how internet service providers (ISPs) and mailbox providers (MBPs) are moving to respect DMARC policy, that restriction also applies to a good two-thirds of the top MBP domains. Remember: Your from address should only contain a domain owned by you (with proper authentication in place), and not a domain owned by a webmail provider. That was a common way to configure things once upon a time, but it will work no more.

A few interesting facts from the DMARC data:

  • is set to p=none today (though they warn that "quarantine" is coming), but the alternate Gmail domain of is already set to p=quarantine. Perhaps because it is less used and was easier to vet as far as how far and wide it was being used in from addresses?
  • As far as the other top providers go, Microsoft's on the DMARC bandwagon, but only mildly. All of their domains are p=none for now. Yahoo leads the way with a p=reject policy, and AT&T ... hasn't published anything. Boo.
  • Apple domains have a DMARC policy of p=quarantine, and Comcast is currently at p=none.

What will this look like in 3-4 months? I suspect changes will come.

Post a Comment