Why the average domain scores just 21/100

DMARCER continuously scans millions of domains for the full set of email-security controls and scores each out of 100. The headline finding is stark: the average domain scores around 21 out of 100. Most of the internet is wide open to having its email forged.

It’s not that nobody tries – it’s that nobody finishes

Plenty of domains have some SPF or a DMARC record. The problem is they stall: SPF that’s drifted over the lookup limit, DMARC stuck on p=none, no DKIM on key senders, and transport security (MTA-STS, TLS-RPT) almost entirely absent. Each gap costs points – and leaves a door open.

The biggest single lever: enforcement

The largest score jump comes from moving DMARC from monitoring to enforcement – p=quarantine or p=reject. It’s also the step most domains never take, usually out of fear of blocking legitimate mail. Done with evidence, it’s safe – and it’s where the protection actually lives.

Why context matters

A score is far more persuasive next to a peer average. “You score 48” is abstract; “you score 48, where the average firm in your sector scores 71” is a reason to act. That’s why DMARCER benchmarks every domain against its industry and country – explore it in the industry benchmark.