4.8% of domains have broken SPF records

across 5.5M domains scanned, 4.8% have SPF records with lookup errors

- exceeding the 10-mechanism limit
- circular includes
- syntax errors
- or void lookups

that's roughly 149,000 domains with SPF records that actively fail evaluation

their email authentication is worse than having no SPF at all, because a permerror result is treated differently than a "none" result by receiving MTAs

https://dmarcguard.io/tools/spf-checker/

#DMARC #SPF

Don't let sunburn ruin your beach day ☀️ This one trick saved my skin (and my vacation!) 🏖️✨

Read more: https://flip.it/HAdpBv

#lifestyle #beauty #beautytips #skincare #summer #summertips #healthyskin #spf #sunscreen

We analyzed DMARC report emails from the last 3 days across nearly 3,500 reporting organisations. Looking only at organisations that sent a substantial volume of reports during that period, just 9 were fully RFC compliant (GMX, WEB.DE & mail.com), while most major reporting organisations had at least one compliance issue.

The most common problems were surprisingly basic: missing required fields like "version", "envelope_from", and SPF "scope", invalid attachment filenames and media types, empty "<sp/>" elements, and invalid values like "sampled_out", "unknown", "hardfail", and even "Pass" with a capital P.

Some large providers scored well but still had edge case issues. Comcast, Microsoft, and Fastmail were close, but not perfect.

Others performed far worse. Yahoo, Google, Amazon SES, and Mimecast all generated large volumes of non-compliant reports.

At DMARC scale, small XML mistakes create real interoperability problems. They break parsers, cause data loss, and force receiving platforms to build endless workarounds.

We’ve already contacted several organisations and shared examples of the issues we found. The goal is better interoperability across the email ecosystem. Until then, DMARC platforms like URIports will keep doing their unofficial second job: translating creative interpretations of the RFC into something that actually parses 😄

More details: https://www.uriports.com/blog/dmarc-reports-ietf-rfc-compliance/

#DMARC #EmailSecurity #EmailAuthentication #SPF #DKIM #CyberSecurity #RFC7489 #URIports

SPF has a 10-lookup limit

RFC 7208 Section 4.6.4 is clear: SPF evaluation must not exceed 10 DNS mechanisms that cause lookups

exceed it and the result is permerror

meaning your SPF record is effectively invalid

every SaaS tool you authorize (Mailchimp, Salesforce, Zendesk) adds includes

the fix: flatten your record

replace nested includes with the resolved IP ranges

but those IPs change, so you need ongoing monitoring.

https://dmarcguard.io/tools/spf-flattener/

#DMARC #SPF

Кто на чём шлёт и принимает почту: измеряем email-инфраструктуру 660 тысяч доменов из Tranco top-1M

Анализ DNS-снэпшота OpenINTEL за 2026-01-01 TL;DR. Используя ежедневные DNS-снэпшоты OpenINTEL поверх списка Tranco top-1M, мы собрали ландшафт email-инфраструктуры публичного веба на 1 января 2026 года. MX-записи опубликовали 660 114 доменов, SPF — 616 352, DMARC — 431 133. Дуополия Google Workspace (21.7%) + Microsoft 365 (16.3%) занимает суммарно ~38% receiving-стороны — заметно меньше, чем принято считать в популярных обзорах. На outbound-стороне Amazon SES вышел вперёд по числу авторизованных доменов (5.86%), обогнав SendGrid (4.66%). DMARC опубликован у двух третей SPF-доменов, но 19% всех DMARC-записей — это пустая v=DMARC1; p=none; без отчётов: формальная галочка, а не защита.

https://habr.com/ru/articles/1030770/

#email #DMARC #SPF #MX #OpenINTEL #Tranco #deliverability #emailаутентификация #DNSаналитика #ESP