The state of email authentication, July 2026
Month two: DMARC holds at 64% of mail-eligible domains, MTA-STS and BIMI each grew about 2% on a same-domain basis, and DANE fell for the first time. The entire DANE decline traces to one provider deleting its TLSA records.
This is the second reading in our monthly measurement of the four standards-track email-security protocols across Cloudflare Radar’s top 1 million domains: DMARC, BIMI, DANE-for-SMTP, and MTA-STS. Last month was the baseline. This month, as promised, the deltas.
The headline: DMARC holds at 64% of mail-eligible domains, MTA-STS and BIMI each grew about 2% among domains present in both months (more on that basis below), and DANE went down. That last one surprised me until I traced it. The entire net decline comes from a single provider, Migadu, which removed the TLSA records for its whole customer fleet sometime in June. Take Migadu out and DANE grew too.
That’s the theme of this month’s data: adoption of these protocols moves in provider-sized blocks, not domain-sized ones. One provider deleting two DNS records erased more DANE coverage than 488 individual domains gained. One retailer’s email team turned on MTA-STS for eleven country domains in a single change. The tide is rising, but it rises in blocks.
The July numbers
Of the 716,528 mail-eligible domains in the July top 1M (up from 706,530 in June):
| protocol | June | July | Δ | % of mail-eligible |
|---|---|---|---|---|
| DMARC valid record | 451,176 | 459,510 | +8,334 | 64.1% |
DMARC at p=reject (strictest) |
95,994 | 96,333 | +339 | 13.4% |
| DANE (≥1 MX has TLSA) | 30,261 | 29,280 | -981 | 4.1% |
| BIMI valid record | 16,943 | 17,263 | +320 | 2.4% |
| BIMI with Verified Mark Certificate | 6,103 | 6,219 | +116 | 0.9% |
| MTA-STS valid policy | 8,062 | 8,104 | +42 | 1.1% |
Read those raw deltas with care, though, because the population underneath them moved.
Comparing months honestly
Cloudflare Radar’s top 1M is a living list. Between our June and July runs about a quarter of it turned over: only 737,983 domains appear in both months. That much churn sounds alarming for a measurement study, so before trusting any delta we checked what it actually is.
Radar’s list isn’t a roster of Cloudflare customers, and it isn’t a fixed ranking from 1 to a million. It’s the set of domains with the most 1.1.1.1 DNS traffic over the trailing week, rebuilt weekly, with everything below the top few hundred thousand sitting in one large unordered bucket. A domain hovering near the millionth position flickers in and out from week to week without changing a thing about itself.
The data backs that up cleanly. 48,225 domains dropped off the list in June and returned in July, and across that round trip 98.5% kept the exact same mail provider. Domains that leave switch providers no more often than domains that stay, well under 1% either way. So leaving the top 1M is a change in relative popularity, not a provider migration: nobody moved their mail, Radar’s weekly traffic estimate for them just dipped under the line for a month. This is a known property of short-window popularity lists, and it’s why the Tranco list exists.
A raw month-over-month delta therefore mixes two very different things: domains actually changing their DNS, and the list swapping roughly 262,000 low-traffic tail domains for a similar 262,000. So for every protocol we also compute the same-domain view: among the 737,983 domains present in both months, who actually gained or lost the protocol?
| protocol | gained | lost | net (same domains) | monthly growth |
|---|---|---|---|---|
| DMARC valid | 3,350 | 1,068 | +2,282 | +0.6% |
DMARC enforcing (quarantine+reject) |
2,883 | 851 | +2,032 | +1.1% |
| BIMI valid | 382 | 36 | +346 | +2.3% |
| MTA-STS valid policy | 264 | 101 | +163 | +2.2% |
| DANE | 488 | 737 | -249 | -1.5% |
Monthly growth is measured on the cleanest fixed-denominator series we have: the 539,714 domains that were mail-eligible in both months.
This same-domain view isn’t just tidier, it’s necessary for two of the protocols. The churning tail is mostly real small businesses, but they carry MTA-STS and BIMI at roughly a third the rate of the stable core, so the raw list totals for those two drift with list composition as much as with real adoption. DANE and DMARC adoption is essentially flat between the churn and the core, so their raw numbers are trustworthy either way. Reporting on the intersection removes the composition effect for all four.
Each row here reconciles exactly: June’s count for the same metric, minus adopters that dropped off the list, plus adopters that arrived on it, plus these same-domain flips, equals July’s count to the domain. All five check out.
MTA-STS and BIMI growing better than 2% in a month is roughly 30% a year if it holds, and toward the end of this post we compound these rates out to ask when each protocol would actually reach full adoption. DANE fell 1.5%, and that story deserves its own section.
DANE: one provider turned it off
Migadu, a Swiss email host popular with the indie and small-business crowd, carried 656 DANE-covered domains in June’s provider table, sixth place overall. In July it carries effectively zero.
The mechanism is visible in the data. Of the 737 same-domain DANE losses this month, 510 were Migadu customers. In July, 507 of those 510 still have the exact same Migadu MX records (aspmx1.migadu.com, aspmx2.migadu.com). The customers didn’t leave. The TLSA records are simply gone: a clean, quorum-confirmed empty answer (at least two resolvers, in different regions and from different providers, agreeing), not a lookup failure. A live check against Migadu’s own nameservers confirms it. The zone is still DNSSEC-signed, the MX hosts still resolve, and _25._tcp.aspmx1.migadu.com returns nothing.
The whole fleet had pinned one shared certificate hash (a single DANE-EE 3 1 1 record on each MX host), so this was one provider decision, executed in one place, and 500-plus domains lost their inbound TLS guarantee overnight. None of those domain owners did anything. Most of them presumably don’t know.
Remove the Migadu losses and the same-domain DANE picture flips from minus 249 to comfortably positive: on the fixed denominator, DANE would have grown 0.8% instead of shrinking 1.5%.
The gains side tells the same provider-block story from the other direction. Of the 488 same-domain DANE gains, 466 changed their MX records between runs, meaning they moved to a host that ships DANE by default: 265 to Cloudflare Email Routing, 29 to Proton, 18 to Cloudflare’s Area 1 gateway (the Financial Times is one, keeping its p=reject and BIMI in the process), and 11 to Microsoft’s newer mx.microsoft endpoints. Only a couple of dozen domains published TLSA records on MX hosts they already had, which is the thing you’d call deliberate, owner-initiated DANE adoption. A Danish municipality (sonderborg.dk) and the Dutch environmental group Milieudefensie are in that small club this month.
My favorite illustration of the dynamic: 62 of the DANE gains are one operator’s fleet of streaming-piracy clone domains that moved their MX from mail.ru to a tiny forwarding host that publishes TLSA for everyone. The pirates now have better inbound mail security than most banks. They almost certainly have no idea.
Those 11 mx.microsoft gains deserve a note. Last month we pointed out that the hyperscaler stack doesn’t ship DANE, except on Microsoft’s newer MX scheme. This month Henkel and Partners Group both moved onto it, and both now ship DMARC at p=reject, MTA-STS, and DANE simultaneously. Eleven domains is a trickle, but it’s the crack in the two-ecosystems wall we described in June.
MTA-STS: quiet growth, one loud rollout
| June | July | Δ | |
|---|---|---|---|
Has _mta-sts TXT (any) |
35,924 | 35,234 | -690 |
Valid TXT (v=STSv1 + id=) |
9,753 | 9,820 | +67 |
| Policy reachable (HTTPS 200 + valid TLS) | 8,100 | 8,144 | +44 |
| Valid policy file | 8,062 | 8,104 | +42 |
→ enforce |
4,504 (55.9%) | 4,543 (56.1%) | +39 |
→ testing |
3,432 (42.6%) | 3,438 (42.4%) | +6 |
The top-row dip is the churning list, not a wave of removals: among domains present in both months, valid TXT records grew by a net 221 (244 gained, 23 lost).
The same-domain view of valid policies: 264 gains against 101 losses. Of the gains, 213 are genuinely new (no STS record at all in June). The most recognizable new names: Qualcomm, Broadcom, Fraunhofer, Serco (straight to enforce), AVM (the FRITZ!Box maker), the New Zealand Defence Force, and a steady drip of UK councils.
The single biggest block is a retailer: the ALDI Süd group turned on MTA-STS across eleven of its domains at once (aldi.co.uk, aldi.us, aldi.com.au, aldi-sued.de, hofer.at, and six more), all on their existing Trend Micro gateway, all in testing mode. One email team, one change window, eleven domains. Provider-sized blocks again, just driven by the customer this time.
Among domains that held a valid policy in both months, 76 moved from testing to enforce and only 10 went the other way. That nearly 8-to-1 ratio is the healthiest signal in this protocol’s data: people who deploy MTA-STS in testing mode do graduate.
Honesty requires dwelling on the 101 losses, because most of them aren’t what they look like. 45 are our own measurement failing, not the domain regressing: their policy host was unreachable from every one of our vantage points during the run window, so we can’t claim they lost anything (they’re flagged and excluded from the denominator, per our June methodology note). The interesting bucket is the 24 domains whose policy server now returns HTTP 403. That’s usually a WAF or CDN rule newly blocking the /.well-known/ path. Zapier is the most recognizable case: its TXT record is untouched, its TLS is fine, and its policy file now serves 403 to the world. A sending MTA can’t fetch that policy any more than we can. If you front your mta-sts host with a CDN, this is the failure mode to alert on. Beyond those: 17 domains deleted the TXT record outright (the only unambiguous abandonments), and Ural Airlines’ policy file went 404 on both of its domains.
External anchor, unchanged from June: uriports’ yearly survey remains the closest published MTA-STS number. We validate the TXT record more strictly, so we report fewer “enabled” domains and more valid policies, and nothing this month changes that comparison.
DMARC: the tide keeps coming in
The raw policy mix moved up across the board:
| policy | June | July | Δ |
|---|---|---|---|
p=none (monitoring only) |
243,465 | 249,750 | +6,285 |
p=quarantine |
111,717 | 113,427 | +1,710 |
p=reject (strictest) |
95,994 | 96,333 | +339 |
DMARC’s same-domain movement is the largest of any protocol, and it points one way. Among domains with a valid record in both months:
| transition | domains |
|---|---|
none → quarantine |
1,398 |
none → reject |
554 |
quarantine → reject |
536 |
quarantine → none |
305 |
reject → none |
154 |
reject → quarantine |
108 |
2,488 domains tightened policy; 567 loosened. A 4.4-to-1 ratio, spread across every provider roughly in proportion to its size, which means this is ecosystem-wide drift rather than any single vendor pushing a button.
Names worth noting: AXA went straight from none to reject, as did NYU, Memorial Sloan Kettering, and Indiana University’s whole domain family. Four UN agencies (UNEP, UN-Habitat, UNODC, UNOG) published enforcing records in a coordinated block, two at reject and two at quarantine. And in the small-world department, quad9.net showed up with its first DMARC record in our data. Quad9 is the filtering resolver we deliberately exclude from our measurement pool. Good to see them on the other side of the data.
BIMI: the brands arrive
BIMI added 382 same-domain publishers against just 36 losses, and the new cohort is noticeably more blue-chip than the base: Cisco, Cartier and Van Cleef & Arpels (a coordinated Richemont pair), Nordea, Generali across three of its domains, Santander’s Openbank, weather.com, Elgato, UNESCO, and the Australian Football League. Most of the recognizable names bought the Verified Mark Certificate too, which is the part that actually gets a logo rendered in Gmail and Yahoo. The VMC share among all publishers held at 36%.
The caveat from June still applies in full: BIMI is a sender-side brand signal that companies publish on whatever domain they send branded mail from, which is often not the mailbox domain we measure. Our count is a publishing count on this population, and it undercounts organizations whose brand domain sits elsewhere. See the June post for the long version.
If these rates held
One month of change is enough to ask a fun question: if each protocol kept growing at exactly this month’s rate, when would it reach every mail-eligible domain? Take the same-domain growth rates from above, compound them forward, and this is what falls out.
| protocol | now | monthly | annualized | years to 100% | that’s roughly |
|---|---|---|---|---|---|
| DMARC valid | 66.6% | +0.6% | +8% | ~5 | 2032 |
| DMARC enforcing | 32.6% | +1.1% | +15% | ~8 | 2035 |
| BIMI | 2.9% | +2.3% | +31% | ~13 | 2040 |
| MTA-STS | 1.3% | +2.2% | +30% | ~16 | 2043 |
| DANE (as measured) | 4.1% | -1.5% | -16% | never | n/a |
| DANE (excluding Migadu) | 4.2% | +0.8% | +10% | ~34 | 2061 |
The percentages here are shares of the 539,714 domains mail-eligible in both months. Two things jump out. DMARC is the only protocol on a timeline a working operator would care about: full valid-record coverage around 2032, and even the strict-enforcement subset (p=reject or p=quarantine) by the mid-2030s. And MTA-STS and BIMI, despite growing fast in percentage terms, are starting from so close to zero that a constant 30% a year still takes them into the 2040s.
Now the honesty, because a table like this is easy to over-read. Real adoption doesn’t compound at a constant rate. It follows an S-curve: slow, then fast through the middle, then a long slow crawl through the last holdouts who have no one pushing them. So the near-term numbers (DMARC by the early 2030s) are the trustworthy end, and the far-term ones (DANE in 2061) are really just a way of saying “at this rate, not in any timeframe worth planning around.” BIMI in particular will never actually reach 100% of mail-eligible domains, because most domains don’t send branded mail and have no reason to publish it; treat its line as “if the current pace continued,” not as a real ceiling. And DANE’s headline rate is negative only because of the one Migadu event: the underlying trend, with that removed, is a slow climb. The single honest takeaway: DMARC is on a path to ubiquity this decade, and the inbound-transport protocols (MTA-STS, DANE) are not, unless the hyperscalers change what they ship by default.
What this means if you run mail
If your DANE comes from your provider, monitor it. Five hundred Migadu customers lost DANE last month without touching anything and, in most cases, without knowing. Provider defaults giveth and provider defaults taketh away. A cron job that runs dig TLSA _25._tcp.<your-mx> and alerts on empty is twenty minutes of work.
If you publish MTA-STS behind a CDN or WAF, alert on policy fetchability. Two dozen domains, Zapier among them, are currently publishing a TXT record that points at a policy file the world can’t read. Fetch your own https://mta-sts.<domain>/.well-known/mta-sts.txt from outside your network, on a schedule.
If you’ve been sitting in testing mode, check your logs and graduate. 76 domains moved testing to enforce this month. The failure reports either show problems or they don’t, and after a few clean months the answer is enforce.
How we measured this
Methodology is unchanged from June, and the June post has the full detail: 30 small VMs across 30 regions on every populated continent, every DNS answer confirmed by a two-of-N quorum across different regions and different resolver providers, only unfiltered resolvers in the pool, the whole run paced over two hours.
Coverage this month: 1,298 of 716,528 mail-eligible domains (0.18%) couldn’t be measured for MTA-STS because their policy hosts were unreachable from every vantage point; they’re excluded from that denominator rather than counted as non-adopters. The four DNS-based protocols had zero unmeasurable domains. And the month-over-month accounting reconciles exactly: for each protocol’s adopter count, June’s total minus list-departures plus list-arrivals plus same-domain flips equals July’s total, to the domain.
What’s next
The August reading lands in early August. Two things we’ll be watching: whether Migadu’s TLSA records come back (we’ve seen no announcement either way), and whether the mx.microsoft DANE trickle keeps growing. With a third data point we can start replacing this month’s single-rate extrapolation with an actual trend line. If you run mail for a domain in the top million, you’re in this dataset. The deltas are where the story is, and they compound.