Does the Web Use DNSSEC and Email Authentication? Scanning TopM Domains (www.pwndefend.com)

A recent analysis of one million domains revealed striking statistics about the adoption of DNSSEC and email authentication protocols. Conducted using PowerShell and the Majestic Million dataset, the survey found that only about 7% of domains employ DNSSEC, primarily driven by a few country registries. In contrast, email authentication is far more prevalent: approximately 85% of mail-enabled domains implement SPF, but only 57% use DMARC, with over half of those set to a non-enforcing policy. MTA-STS remains virtually unused at just 1%. This landscape highlights a significant disparity—although email authentication mechanisms are broadly adopted, their effectiveness is limited by inadequate enforcement. The study underscores the critical implications for the cybersecurity landscape, where the low DNSSEC adoption raises concerns about domain spoofing and tampering. The findings suggest that while inexpensive and easily reversible controls like SPF are widely used, more complex systems that require operational commitment, such as enforced DMARC and DNSSEC, lag significantly behind. This presents a nuanced view of the modern web’s security architecture, emphasizing that current layers—such as TLS and HSTS—often mitigate the threats DNSSEC aims to address, illustrating a conscious choice by many domain operators to prioritize convenience and compatibility over potential security benefits.