Research · June 2026
The State of Small-Business Email Authentication
We scanned the public DNS of 4,673 verified small businesses across 16 US and Canadian cities. Most of them have not finished setting up the records that decide whether their email reaches the inbox.
Data as of June 2026 · aggregate figures only, no firm named.
The finding, in one paragraph
Across 4,673 verified law, real estate, accounting, healthcare, and nonprofit firms in 16 US and Canadian cities, 54.8% have incomplete email authentication (missing SPF, DKIM, or MX; 95% CI ±1.4 points). The DMARC picture is worse on security: 47.8% have no DMARC record, another 32.7% have a record stuck at p=none (monitoring only), and only 19.4% are actually protected with quarantine or reject.
54.8%
incomplete email auth
47.8%
no DMARC record
32.7%
DMARC at p=none
19.4%
DMARC enforced
51.1%
missing DKIM
4,673
firms scanned
Key takeaways
- 54.8% of 4,673 verified local firms have incomplete email authentication (missing SPF, DKIM, or MX); 95% CI ±1.4 points.
- Only 19.4% have DMARC enforcement; 32.7% have a record stuck at p=none, monitoring with zero blocking.
- Local firms adopt DMARC at 52.2%, matching EasyDMARC's 52.1% for global top domains, but stall at p=none more often than mid-market Inc. 5000 firms.
- Real estate is worst on completeness (62.4%) and spoofing (89.6% unprotected); Nonprofits lead on enforcement at 27.7%.
How many small firms have misconfigured email?
Just over half. In a June 2026 scan of 4,673 verified law, real estate, accounting, healthcare, and nonprofit firms across 16 US and Canadian cities, 54.8% had incomplete email authentication, meaning they were missing SPF, DKIM, or a mail-receiving MX record.
Email authentication has three parts. SPF lists who is allowed to send for your domain. DKIM signs your mail so the receiver can confirm it was not tampered with. DMARC ties the two together and tells receivers what to do when a message fails. Gmail and Microsoft now expect all of them, and a firm that is missing any one of these is what we count as incomplete.
I set up DMARC. Am I actually protected?
Usually not. 47.8% of firms had no DMARC record at all, 32.7% had a record stuck at p=none (monitoring only, zero enforcement), and only 19.4% had quarantine or reject turned on. Among firms that did publish DMARC, 62.7% never moved past p=none, the same "adoption ≠ protection" failure Valimail flags in enterprises, which reach only 42% enforcement despite 78% having a record.
Never started
Zero protection
Quarantine or reject
p=none sends you reports but blocks nothing. Invoice fraud, fake-CEO mail, and phishing in your name still land in inboxes. It is a starting line, not a finish line, and most domains never move past it.
Valimail's 2026 enterprise report is titled "DMARC adoption does not mean DMARC protection." Our small-business sample shows the same failure mode. Among the 52.2% that published any DMARC record, 62.7% never moved past p=none, close to double the 32% of enterprise record-holders Valimail reports stuck at monitoring-only (their 25% at p=none against 78% with a record). SMBs start less often (47.8% have no record at all), but when they do start, they stall harder than even mid-market firms.
Is DKIM or DMARC the bigger problem?
DKIM, by a wide margin. 51.1% of firms had no DKIM record on any common selector, while the SPF gap was far smaller at 21%.
Most coverage of email security focuses on DMARC, but in this sample the biggest hole was DKIM: 51.1% of firms had no DKIM record at all on any of the 40 common selectors we checked. DKIM gets the least attention partly because it is the hardest of the three to measure. The only large-scale academic benchmark, Wang et al. (USENIX Security 2022), found just 37% of mail-receiving domains worldwide had DKIM. Our figure for verified local businesses sits just above that, which is where a more established population should land.
Which industries have the worst email setup?
Real estate. 62.4% of real estate firms had incomplete authentication, the worst of any industry we looked at, while nonprofits were the best at 39.9%. On spoofing, real estate also leads at 89.6% unprotected versus 72.3% for nonprofits.
| Industry | Incomplete | No DKIM | No SPF | No MX | Spoofable | Enforced | n |
|---|---|---|---|---|---|---|---|
| Real estate · worst | 62.4% ±4.1 | 56.2% | 31.7% | 15.8% | 89.6% | 10.4% | 537 |
| Healthcare | 61.7% ±2.7 | 59.2% | 24.2% | 12.4% | 83.1% | 16.9% | 1287 |
| Law | 55.5% ±2.7 | 53.1% | 16% | 6.5% | 80.3% | 19.6% | 1344 |
| Accounting | 51.2% ±3.5 | 46.3% | 17.9% | 6.8% | 78.2% | 21.8% | 776 |
| Nonprofits · best | 39.9% ±3.5 | 34.4% | 20% | 9.1% | 72.3% | 27.7% | 729 |
± shows the 95% Wilson confidence interval on each industry's incomplete rate. Vertical rollups (n in the hundreds) are firm; per-city-per-industry cells in the heatmap below are much wider.
DMARC maturity: stacked bars show enforced, p=none, and no record shares
The spread is wide on both axes: real estate at 62.4% incomplete and 89.6% spoofable versus nonprofits at 39.9% incomplete and 72.3% spoofable, a 17.3-point security gap on top of the completeness gap.
The column breakdown tells you why each industry lands where it does. DKIM is the dominant gap everywhere: in every single industry, the share missing DKIM is close to the share that is incomplete overall, so DKIM is almost always the record that is missing. Real estate is the only group that is also badly behind on SPF (31.7%) and on having a working mail server (15.8% with no MX), which is what pushes it to the bottom.
Which city and industry is worst for mine?
It varies locally. The worst single pocket we measured was Nashville, TN: Real estate at 80% incomplete (n=35). Every city had a different weakest vertical: Nashville real estate hit 80%, Boise law 72.5%, Sacramento healthcare 71.6%.
| City | Weakest vertical | Incomplete |
|---|---|---|
| Nashville, TN · highest | Real estate | 80% (n=35) |
| Halifax, NS | Real estate | 77.4% (n=31) |
| Minneapolis, MN | Real estate | 75.8% (n=33) |
| Winnipeg, MB | Real estate | 75.8% (n=33) |
| Boise, ID | Law | 72.5% (n=91) |
| Sacramento, CA | Healthcare | 71.6% (n=74) |
| Portland, OR | Law | 67.7% (n=99) |
| Tampa, FL | Healthcare | 67.1% (n=85) |
| Denver, CO | Real estate | 64.5% (n=31) |
| Richmond, VA | Healthcare | 63.9% (n=83) |
| Toronto, ON | Healthcare | 62.5% (n=96) |
| Austin, TX | Real estate | 61.8% (n=34) |
| Vancouver, BC | Real estate | 60.6% (n=33) |
| Ottawa, ON | Real estate | 57.9% (n=38) |
| Calgary, AB | Healthcare | 55% (n=60) |
| Montreal, QC | Law | 53.2% (n=79) |
Which cities have the worst email setup?
We scanned 16 cities, and US cities were consistently worse than Canadian ones on completeness, led by Nashville, TN at 64.3% incomplete. Portland, OR leads on DMARC enforcement at 23.2%; Vancouver, BC trails at 16%.
Here is every city we scanned, ranked from worst to best, with how many firms each total is built on.
| City | Country | Incomplete | No DKIM | Spoofable | Enforced | n |
|---|---|---|---|---|---|---|
| Nashville, TN · worst inc. | US | 64.3% | 58.5% | 80.1% | 19.9% | 272 |
| Tampa, FL | US | 63.5% | 58.1% | 84.2% | 15.5% | 310 |
| Boise, ID | US | 62.6% | 59.2% | 81.3% | 18.7% | 294 |
| Sacramento, CA | US | 60.6% | 58% | 79.9% | 20.1% | 274 |
| Minneapolis, MN | US | 58% | 55.7% | 80% | 20% | 300 |
| Portland, OR · best enf. | US | 56.2% | 53.3% | 76.8% | 23.2% | 315 |
| Winnipeg, MB | CA | 55.7% | 53.5% | 82.3% | 17.7% | 282 |
| Halifax, NS | CA | 55.2% | 51.7% | 80.2% | 19.8% | 232 |
| Richmond, VA | US | 52.8% | 49.6% | 79.5% | 20.5% | 254 |
| Denver, CO | US | 52.5% | 48.2% | 77.1% | 22.9% | 301 |
| Austin, TX | US | 52.3% | 48% | 78% | 22% | 300 |
| Toronto, ON | CA | 50.7% | 44.2% | 78.2% | 21.8% | 353 |
| Ottawa, ON | CA | 49.2% | 45.5% | 81.8% | 18.2% | 303 |
| Calgary, AB | CA | 48.9% | 45.4% | 80.5% | 19.5% | 262 |
| Montreal, QC | CA | 48.4% | 45.5% | 84.7% | 15.3% | 308 |
| Vancouver, BC · most complete · most p=none | CA | 48.2% | 45.4% | 84% | 16% | 313 |
The pattern splits two ways. On completeness, the 9 US cities take most of the worst spots, led by Nashville, TN at 64.3%. On enforcement, Portland, OR leads at 23.2% and Montreal, QC trails at 15.3%. Vancouver is the teaching example: it ranks best on completeness (51.8% fully configured) yet has the highest share stuck at p=none (41.2%) and only 16% enforced, proof that deliverability setup and spoofing protection are different problems.
Each mark is a city, numbered to match the table below. US cities are ink circles; Canadian cities are olive diamonds. Vancouver (red) sits high on completeness but low on enforcement: the paradox quadrant.
| # | City | Country | Complete | Enforced |
|---|---|---|---|---|
| 1 | Nashville | US | 34.9% | 19.9% |
| 2 | Tampa | US | 36.1% | 15.5% |
| 3 | Boise | US | 37.1% | 18.7% |
| 4 | Sacramento | US | 39.4% | 20.1% |
| 5 | Minneapolis | US | 42% | 20% |
| 6 | Portland | US | 43.5% | 23.2% |
| 7 | Winnipeg | CA | 44% | 17.7% |
| 8 | Halifax | CA | 44.8% | 19.8% |
| 9 | Richmond | US | 47.2% | 20.5% |
| 10 | Austin | US | 47.3% | 22% |
| 11 | Denver | US | 47.5% | 22.9% |
| 12 | Toronto | CA | 49.3% | 21.8% |
| 13 | Ottawa | CA | 50.8% | 18.2% |
| 14 | Calgary | CA | 50.8% | 19.5% |
| 15 | Montreal | CA | 51.6% | 15.3% |
| 16 | Vancouver · paradox | CA | 51.8% | 16% |
| City | Real estate | Healthcare | Law | Accounting | Nonprofits |
|---|---|---|---|---|---|
| Nashville US | 80 | 63.2 | 70.6 | 53.8 | 48.6 |
| Tampa US | 64.5 | 67.1 | 60.4 | 66.7 | 59.1 |
| Boise US | 65.9 | 66.7 | 72.5 | 55 | 36.6 |
| Sacramento US | 63 | 71.6 | 54.2 | 63.8 | 48.8 |
| Minneapolis US | 75.8 | 73.4 | 58.9 | 43.5 | 34.6 |
| Portland US | 52.8 | 64.2 | 67.7 | 50 | 26.7 |
| Winnipeg CA | 75.8 | 61.2 | 49.3 | 51.1 | 46 |
| Halifax CA | 77.4 | 61.1 | 50 | 51.3 | 36.8 |
| Richmond US | 50 | 63.9 | 44.6 | 58.1 | 37.1 |
| Denver US | 64.5 | 57.5 | 48.4 | 55.1 | 41.3 |
| Austin US | 61.8 | 56.3 | 55.4 | 41.5 | 43.9 |
| Toronto CA | 47.1 | 62.5 | 47.1 | 51 | 41.2 |
| Ottawa CA | 57.9 | 53.1 | 50 | 43.1 | 40.4 |
| Calgary CA | 54.3 | 55 | 54.5 | 55 | 17.1 |
| Montreal CA | 47.1 | 52.3 | 53.2 | 41.8 | 42.3 |
| Vancouver CA | 60.6 | 58.4 | 44.6 | 40 | 36.7 |
Darker is worse. * = under 60 firms per cell.
See the worst industry per city table above for local danger zones; extremes across the full 80-cell matrix are concentrated in real estate and healthcare pockets with smaller samples (marked * in the heatmap).
Can these businesses even receive email?
Nearly one in ten cannot at their domain apex. 9.7% had no mail-receiving MX record, so contact-form replies and mail to info@ may bounce. Boise (13.9%) and Halifax (13.8%) led.
This is not a subtle deliverability nuance. Without a mail-receiving MX record at the domain apex,
mail to you@yourfirm.com has nowhere to land. Contact-form notifications, quote
requests, and client replies can bounce silently. Boise (13.9%) and Halifax (13.8%)
led among the 16 cities. Across the full sample, missing MX was the smallest of the three completeness
gaps (9.7%) but it is the most concrete: these domains literally cannot receive email.
Are US or Canadian firms better configured?
Canada is more complete but no safer from spoofing. Canadian firms were 7.4 points more complete (50.7% vs 58.1% incomplete), yet essentially tied on spoofability (81.7% vs 79.7%, a gap inside the margin of error). The real difference is at p=none: Canadians adopt DMARC more often but stall at monitoring-only more (36.1% vs 30% in the US).
Each row connects the US value to the Canada value. The widest gap is at p=none, where Canada stalls more; completeness favours Canada, while enforcement and spoofability are effectively tied.
| Measure | United States | Canada | Gap |
|---|---|---|---|
| Incomplete auth | 58.1% | 50.7% | 7.4% |
| No DMARC record | 49.6% | 45.6% | 4% |
| Stuck at p=none | 30% | 36.1% | 6.1% |
| DMARC enforced | 20.3% | 18.3% | 2% |
| Spoofable | 79.7% | 81.7% | 2% |
Canadians start the DMARC job more often (fewer with no record) but finish it less often: a higher share stall at p=none (36.1% vs 30% in the US). That is why Canada looks better on completeness yet no safer from spoofing (81.7% vs 79.7%, essentially tied, the difference inside the margin of error).
Could someone send fake email as one of these firms?
For most of them, yes. 80.5% had no DMARC enforcement, either no record (47.8%) or p=none (32.7%). Only 19.4% had quarantine or reject in place.
Spoofable is not one bucket; it is the sum of two stages in the funnel above: 47.8% with no DMARC record plus 32.7% with a record at p=none. Only 19.4% had quarantine or reject. Valimail has measured that domains left unenforced are spoofed about 3.93 times more often than protected ones.
The damage shows up as business email compromise, which the FBI's 2025 report ties to $3.05 billion in losses across 24,768 complaints. Real estate, the worst industry here at 89.6% unprotected, is also among the most targeted: redirected closing-fund wires alone accounted for $275.1 million across 12,368 complaints.
How do small firms compare to the biggest companies?
They adopt DMARC at about the same rate as the global top 1.8M (52.2% vs 52.1%) but enforce far less (19.4% vs ~80% for the Fortune 500). Among firms with any DMARC record, 62.7% of local SMBs never left p=none, close to double Valimail's 32% for enterprise record-holders, and worse than the mid-market Inc. 5000.
The right comparison is not "small business vs Fortune 500" in one jump. It is a maturity ladder: local firms sit at the same adoption tier as the global top 1.8M by traffic, but below every corporate cohort on enforcement, and they stall at p=none more often than mid-market Inc. 5000 firms.
| Population | DMARC record | Enforced | p=none (of all) | Source |
|---|---|---|---|---|
| Fortune 500 | 95% | ~80% | n/a | EasyDMARC 2026 |
| Valimail enterprise set | 78% | 42% | 25% | Valimail 2026 State of DMARC |
| Global top 1.8M domains | 52.1% | ~23% | n/a | EasyDMARC 2026 |
| Local SMBs (this study) · you are here | 52.2% | 19.4% | 32.7% | This study |
Every column is the share of all domains in that population, one denominator, so the tiers compare directly. Enforced = p=quarantine or p=reject. A dash means the source does not publish that figure. Enterprise and global rows from Valimail and EasyDMARC (2026); our row is the live study.
DKIM and SPF track the academic baseline the same way Wang et al. (USENIX Security 2022) established for mail-receiving domains: we found 48.9% DKIM present (their 37%) and 79% SPF present (their 69.8%).
Small firms are not uniquely careless
The ladder shows why. Fortune 500 companies reached 95% DMARC adoption with about 80% at enforcement, backed by full IT teams and brand risk at scale. Valimail's enterprise set sits at 78% adoption and 42% enforcement. Your local accountant adopts at about the same rate as the global top 1.8M (52.1%), but only 19.4% enforce. Worse, 62.7% of those with a record never left p=none, close to double the 32% Valimail measures for enterprise record-holders.
The gap is not moral failure. It is that nobody set this up for them, and the industry has trained "add a DMARC record" as the finish line when p=none is only the starting line.
Why does this matter now?
Because since 2024, missing records can get your mail refused outright, not just sent to spam. Google and Yahoo began requiring authentication in February 2024, and Microsoft started rejecting non-compliant mail in May 5, 2025.
This stopped being cosmetic in 2024. Google and Yahoo began requiring SPF, DKIM, and DMARC for bulk senders in February 2024. Microsoft followed on May 5, 2025, rejecting non-compliant high-volume mail outright with a permanent "550 5.7.515" error. Google escalated again in November 2025, moving from quietly spam-foldering bad mail to refusing it. A firm with missing records is no longer just risking the spam folder, its mail can be turned away at the door.
How was this measured?
We queried public DNS directly for SPF, DKIM across 40 selectors, MX, and DMARC on 4,673 Google-verified independent firms in June 2026. No private data was touched, and no firm is ever named. Only 1 firm in 4,673 had an SPF record ending in +all.
Firms were drawn from Google Places (verified listings with a real website), five industries per city, with national franchises, hospital systems, and property-management chains excluded so the sample reflects independent local businesses. For each domain we queried public DNS directly for SPF (apex TXT), DKIM (40 common selectors), MX, and DMARC, using public resolvers with retries. One thing to keep in mind: because every firm here already keeps a live website, this is the digitally-present subset. Firms with no website at all are not in the sample and are almost certainly worse, so read these figures as a best case, not the floor.
A domain is counted as incomplete if it is missing SPF, missing DKIM on all 40
selectors, or missing a mail-receiving MX record. One caveat we state plainly:
the DKIM figure is a lower bound on adoption. A firm publishing DKIM under an
uncommon custom selector reads as "missing," so the true DKIM-present rate is at least what we
report, which also makes the 54.8% incomplete headline an upper bound. This is the same
constraint every DKIM study faces; Wang et al. used about 40 mined selectors and framed
their result the same way. The MX gap has its own caveat: some domains with no MX are deliberate
(send-only, parked, or with mail on a separate domain), so that share is an upper bound on truly
unreachable firms. We also checked for SPF records ending in +all (wide open):
exactly 1 firm in 4,673.
Where we report a rate we also report its uncertainty. The headline 54.8% incomplete carries a 95% Wilson confidence interval of about ±1.4 points, and each industry rollup shows its own interval in the table above. The per-city-per-industry cells in the heatmap rest on as few as ~31 firms, so their intervals are far wider; we mark those with an asterisk and lean on the larger rollups for any firm claim.
Exploratory signals, not conclusions
A couple of smaller patterns are worth a follow-up but are too small to call findings. We note them so the data is honest about its edges, and we leave them out of the headline numbers.
- In Halifax, solo bookkeepers were less complete than credentialed CPA firms: 47.6% of bookkeepers vs 30% of CPA firms had incomplete authentication (roughly 20 to 40 firms).
- In Calgary, real estate lagged nonprofits specifically on SPF: 20% of real estate firms had no SPF record vs 0% of nonprofits (roughly 25 firms each).
Can I reuse this data?
Yes, freely, with credit. The aggregate figures are published under a Creative Commons BY 4.0 license, and the full dataset is downloadable as JSON.
APA: Bora, V. (2026). The State of Small-Business Email Authentication. Does My Email Work. https://doesmyemail.work/research/state-of-small-business-email-usa-canada-june-2026/
Download the data (aggregate only: every figure is a per country, city, and industry count with its sample size, and no firm is ever named): JSON · CSV. Licensed CC BY 4.0.
Cite it in one line: A 2026 field study of 4,673 small-business domains across 16 US and Canadian cities found 80.5% could be spoofed and only 19.4% had DMARC at enforcement (Does My Email Work, doesmyemail.work/research/state-of-small-business-email-usa-canada-june-2026).
Related: why WordPress email goes to spam · how the free scanner compares to other tools · email deliverability for real estate.
References
- Wang et al., "A Large-scale and Longitudinal Measurement Study of DKIM Deployment," USENIX Security 2022. usenix.org
- Valimail, "2026 State of DMARC Report" (Feb 2026). valimail.com
- EasyDMARC, "2026 DMARC Adoption & Enforcement Report" (Mar 2026). easydmarc.com
- RFC 7489, DMARC (Murray Kucherawy & Elizabeth Zwicky, IETF). rfc-editor.org
- FBI Internet Crime Complaint Center, "2025 Internet Crime Report". ic3.gov
- Google, "Email sender guidelines." support.google.com · Microsoft, "Outlook high-volume sender requirements." techcommunity.microsoft.com
p=none policy guides (secondary)
- Google Workspace Admin Help, "Set up DMARC". support.google.com/a/answer/2466580
- DMARC.org FAQ, "Does p=none affect delivery?". dmarc.org/wiki/FAQ#Does_DMARC_.E2.80.9Cp.3Dnone.E2.80.9D_affect_the_way_my_emails_get_delivered.3F
- Valimail, "DMARC implementation guide". www.valimail.com/resources/guides/dmarc/
Aggregate figures only; individual firms are never named. Study by Valentin Bora, June 2026.
Check your own
Is your domain in the 54.8%?
Run a free scan. We check your SPF, DKIM, DMARC, and MX the way Gmail and Microsoft do, and tell you in plain English what is missing. No signup.
Scan my domain