Insights

DMARC by DNS Provider in Q1 2026 | DMARCeye

Written by Jack Zagorski | May 11, 2026 1:55:17 PM

The DNS provider hosting your domain's records shapes your DMARC posture before you publish a single record. In DMARCeye's Q1 2026 industry report, Cloudflare hosts roughly a quarter of all monitored domains and clears 99.08% authentication compliance; Azure DNS, by contrast, holds 1.17% of identified domains and lands at 87.66% - the only major DNS provider below the report's 93% "watch" line. The spread across the top 10 named providers is wide enough to be worth understanding.

This article unpacks one view from the Q1 2026 report: the top 10 DNS providers by market share and authentication compliance. Numbers reflect outcomes across the several thousand domains DMARCeye actively monitors. The picture for the broader, unmonitored domain space is almost certainly different, and likely worse.

 

What "DNS Provider" Means for DMARC

DMARC lives in DNS. When a receiving mail server checks whether a message claiming to come from example.com is authentic, it queries DNS for _dmarc.example.com and reads the policy out of a TXT record. Whoever runs that DNS is the DNS provider, i.e., the company that answers the query when someone asks "what's the DMARC policy for this domain?" Common providers include Cloudflare, GoDaddy, Amazon's AWS Route 53, and Microsoft's Azure DNS.

A note on terminology. Your DNS provider isn't always the same company you bought your domain from (your registrar). Many small businesses leave DNS hosted at the registrar by default (GoDaddy is both a registrar and a DNS provider, for instance). Others actively move DNS to a dedicated provider like Cloudflare or AWS Route 53 for performance or feature reasons. The distinction is important for DMARC because every authentication record (SPF, DKIM, DMARC) lives at the DNS layer, and the operator who chose where to host DNS is usually the same operator who set up those records.

Not sure which provider you're on? The free DNS checker from DMARCeye tells you in seconds, along with what email authentication records your domain has published.

Top 10 DNS Providers by Market Share and Compliance

The Q1 2026 industry report measured authentication compliance across the top 10 DNS providers, ranked by share of all monitored domains where a provider could be identified. Compliance here is the percentage of messages from each provider's domains that pass DMARC authentication, weighted by email volume.

DNS Provider Domain Share Compliance
Cloudflare 25.54% 99.08%
GoDaddy 9.36% 96.13%
Google Cloud DNS 6.28% 96.96%
AWS Route 53 5.35% 99.51%
Namecheap 5.23% 99.35%
IONOS 2.63% 96.99%
OVH DNS 1.40% 96.39%
Azure DNS 1.17% 87.66%
Host-H 1.14% 97.53%
Porkbun 1.13% 98.48%
All other providers 40.77% 97.80%
Source: DMARCeye Q1 2026 industry report. Compliance is weighted by email volume. Tier thresholds in the report: Healthy = at or above 97%, Watch = 93-97%, Issue = below 93%.

Three groups stand out in the data:

  • Top tier, above 99% compliance: AWS Route 53 leads at 99.51%, followed by Namecheap (99.35%) and Cloudflare (99.08%). Porkbun sits just below at 98.48%. These providers tend to be chosen deliberately rather than inherited from a registrar default, and the populations of domains using them lean toward operators who have set up SPF, DKIM, and DMARC carefully.
  • Middle tier, 96 to 97% compliance: Most named providers cluster here. IONOS (96.99%), Google Cloud DNS (96.96%), OVH DNS (96.39%), and GoDaddy (96.13%) all sit within a single percentage point of each other. GoDaddy is both a registrar and a DNS provider, and many of its DNS-hosted domains came along by default at registration rather than by deliberate move.
  • One outlier: Azure DNS at 87.66%, well below the report's 93% "watch" line. The next-worst named provider sits more than 8 percentage points above it.

The "all other providers" row covers 40.77% of identified domains at 97.80% compliance. The named providers cover the other ~60%, and they're where the spread is wide enough to be worth discussing.

Why Azure DNS Sits at 87.66% While Everyone Else Clears 96%

Azure DNS is the only major provider in the dataset below the report's 93% "watch" line. Why? Here are some possible reasons (not proven in our data):

  • Azure DNS is most often used inside Microsoft 365 and Azure environments, where mail infrastructure is layered. Exchange Online, third-party relay services, on-premises forwarders, automated tenants, and shared mailboxes all send under the same domain. The DNS hosting is straightforward; the sending side is the part that gets complicated. Two related Q1 findings show what this complexity looks like in practice: our analysis of sending footprints finds that complex domains can run dozens of distinct sending IPs at once, and our compliance variance across ESPs finds that domains routing mail through many email platforms cluster at lower authentication rates.
  • The customer mix on Azure DNS skews enterprise. Enterprises send a wider variety of mail types through a wider variety of paths than a small business running on Cloudflare. More moving parts means more places authentication can fail.
  • DMARC compliance in the report is measured per message and weighted by email volume. A small number of high-volume Azure-hosted domains with authentication gaps can pull the aggregate down further than the number of affected domains alone would suggest.

None of these is testable from the chart alone. They are patterns we see across customer setups, not findings from the dataset. If your domain is on Azure DNS, the compliance number that matters is yours, not the average.

What This Means for Your Setup

The DNS-provider view is most actionable for two reader roles:

If you're an agency or IT service provider managing DNS across many client domains, the provider table is a planning input. AWS Route 53 and Cloudflare both clear 99% compliance in the dataset; the registrar defaults bundled with many domains (GoDaddy, IONOS) cluster around 96%. The 3-point spread is the difference between "almost all messages pass" and "one in 25 doesn't." For clients on p=reject, this gap has direct deliverability cost. Choosing where DNS lives across a client portfolio is a deliverability decision, not only an infrastructure one.

If you're in enterprise IT writing DNS-hosting governance, Azure DNS landing at 87.66% doesn't mean Azure DNS is broken. It means Azure DNS is concentrated in environments where mail infrastructure is more complex than the DNS setup suggests. The fix isn't "move off Azure"; it's recognizing that complex mail environments need more authentication scrutiny, not less. Treat the dataset average as a floor to compare your own setup against, rather than a benchmark of what's possible.

Either way, the compliance rate you actually care about is yours, not the aggregate. Start by checking what DMARC record is currently published for your domain:

 

To see compliance broken down by sending source - which mail platforms are passing for your traffic and where authentication gaps appear - you need to process DMARC reports over time. DMARCeye's free plan covers one domain with full report parsing, enough to see whether your own compliance lands in the top tier, middle tier, or below the watch line.

The Takeaway

The Q1 2026 data shows nearly a 12-point spread across the top 10 named providers, from AWS Route 53 at 99.51% to Azure DNS at 87.66%. That spread isn't because the underlying technology is meaningfully different. It's because DNS provider choice tracks operator intent: people who chose AWS Route 53 or Cloudflare over a registrar default tend to have also set up authentication carefully, and that care shows up in the compliance numbers.

If you're already running DMARC monitoring, this is context for your own numbers rather than a benchmark. DMARCeye parses your DMARC reports and tells you, for your specific domain, what's passing, what's failing, and what to fix next, without requiring you to interpret the raw XML yourself.

 
View full post