Research
A position snapshot of the full Majestic Million across three layers — DNSSEC signing, email authentication (SPF / DMARC / MTA-STS), and DANE. This is the scorecard: what is deployed, on how many domains, and how it’s distributed by rank and TLD. Remember Majestic Million is a bit old so a chunk of the domains no longer resolve, but the data gives a good thematic view.
The scorecard
| Control | Adoption | Base |
|---|---|---|
| DNSSEC signed | 6.75% | all domains (8.21% of those that resolve) |
| SPF | 85.3% | mail-enabled domains |
| DMARC published | 57.1% | mail-enabled domains |
| DMARC enforced (quarantine/reject) | ~26% | mail-enabled domains |
| MTA-STS | 1.1% | mail-enabled domains |
| DANE (any) | 0.73% | of all domains (10.9 % of all signed domains) |
| • SMTP DANE | 0.71% | of all domains. 10.5% of signed |
| • Web DANE | 0.06% | of all domains. 0.9% of signed |
Scope: 1,000,000 domains scanned; ~82% resolved; 641,945 (64.2%) run mail; 67,462 (6.75%) are DNSSEC-signed.
DNSSEC — signing
67,462 of 1,000,000 domains (6.75%) are signed; 8.21% of the resolvable subset. Adoption rises with rank — 17.9% of the top 1,000 versus 6.5% across the long tail — and is split sharply by TLD.
| Highest (TLD) | Signed | Largest but lowest (TLD) | Signed |
|---|---|---|---|
| .dk (Denmark) | 61.2% | .com | 4.6% |
| .cz (Czechia) | 58.3% | .org | 5.9% |
| .nl (Netherlands) | 56.9% | .net | 4.3% |
| .se / .no (Nordics) | 41–43% | .uk | 3.7% |
| .gov (US) | 40.2% | .cn | 0.5% |
.com is roughly half the list and sits at 4.6%, which sets the global average.
Email authentication
Measured on the 641,945 mail-enabled domains (null MX excluded):
| Control | Domains | % of mail domains |
|---|---|---|
| SPF | 547,720 | 85.3% |
| DMARC (published) | 366,325 | 57.1% |
| DMARC (enforcing) | ~167,000 | ~26% |
| MTA-STS | 7,138 | 1.1% |
Policy posture: of domains publishing DMARC, 54.7% are at p=none (monitoring only); the remaining ~45% enforce (quarantine or reject) — about 26% of all mail domains. SPF strength splits 54.8% softfail (~all) to 38.8% hardfail (-all).
Distribution: SPF is flat across TLDs (~70–95% everywhere) and across rank. DMARC enforcement runs from 71% of the top 1,000 mail domains to 24% in the long tail. DMARC publication by TLD is led by .nl (78.5%), .au (75.9%) and .ca (69.8%); lowest at .cn (23.8%) and .ru (33.1%).
DANE
Measured across the 67,462 signed domains (DANE is only meaningful on a signed zone):
| DANE | Domains | % of signed | % of all |
|---|---|---|---|
| Any DANE | 7,342 | 10.9% | 0.73% |
SMTP DANE (_25._tcp) | 7,056 | 10.5% | 0.71% |
Web DANE (_443._tcp) | 593 | 0.9% | 0.06% |
Distribution: DANE is the one control whose share rises down the rankings — 6.2% of signed domains in the top 1,000 to 11.1% in the long tail. By TLD (share of signed domains carrying DANE): .dk 34%, .se 25%, .nl 24%, .ch 24%, .de 23%, .cz 17%. Web DANE records exist on 593 domains but are not consumed by mainstream browsers.
The funnel
DNS-LAYER (signing -> DANE)
1,000,000 domains scanned
67,462 DNSSEC-signed (6.75%)
7,342 also do DANE (10.9% of signed -> 0.73% of all)
7,056 SMTP DANE
593 Web DANE
MAIL-LAYER (authentication)
641,945 mail-enabled domains (64.2%)
547,720 SPF (85.3%)
366,325 DMARC published (57.1%)
~167,000 DMARC enforcing (~26%)
7,138 MTA-STS (1.1%)
Caveats
- Presence, not full validation. We detect that records exist (RRSIG / SPF / DMARC / TLSA); we don’t verify TLS certs match TLSA records, fetch MTA-STS HTTPS policies, or re-walk every chain of trust. True working figures are at or below those shown.
- Snapshot in time — DNS configurations change.
- DKIM not measured — selectors can’t be enumerated from DNS.
- TLD = last label, so
.ukaggregatesco.uk,gov.uk, etc. - ~18% of domains didn’t resolve (dead/parked); DNSSEC rates are also quoted against the resolvable subset where noted.
Methodology: PowerShell 7, multi-threaded DNS lookups across Cloudflare, Google and Quad9 over the full Majestic Million (~4 million queries), plus a purpose-built raw DNS client (UDP + EDNS0, TCP fallback) for TLSA records, which Resolve-DnsName cannot query.
Summary
Ok that’s the LLM part out of the way, I’ll add more to this topic at a later point in time but wanted to share the snapshot view now that DANE has been added. The TLDR is: this subject is complex, DNS and Email Security is not an on or off affair, it’s not ‘insecure or secure’ thing. As before this is a quick snapshot, it’s not ‘perfect’ and it’s not an entire view of the internet. It’s to help with understanding the themes.
