Some stats on SPF, DomainKeys and DKIM

I'm taking a quick timeout from my series on explaining Sender Authentication to post some quick stats on authentication.  I took an 8-hour snapshot of our logs to collect some statistics.  I started tracking how often senders use SPF, DomainKeys and DKIM (I will go into DomainKeys and DKIM in a future post):

Of those domains that sign their mail with DKIM:

- 94% also sign with DomainKeys
- 81% also "sign" with SPF

I know that Google signs with DomainKeys and DKIM, but they also sign with SPF (ie, they can be authenticated).  The fact that there is about 19% that don't have SPF suggests that there is someone else out there other than Google signing with DKIM (because my SPF stats include SPF Neutral, which Google falls back to).

Of those domains that sign their mail with DomainKeys:

- 23% also sign with DKIM
- 62% also sign with SPF

The big discrepancy in the DKIM/DomainKeys stat is that Yahoo signs with DomainKeys only, while Google signs with both.  The uniqueness of not signing with SPF is probably mostly accounted for by Yahoo, since Yahoo does not publish SPF records.

Next, of those domains that pass an SPF check (we'll exclude SPF Neutral, Hard and Soft Fails):

- 9% sign with DomainKeys
- 3% sign with DKIM

 Finally, of those domains that have no SPF records:

- 0.6% sign with DomainKeys
- 0.07% sign with DKIM

Again, this is only a snapshot of our own logs, and it would probably be different for consumer mail than it is for us in the enterprise space, but these stats are interesting.

Skip to main content