The email service provider your company uses to send newsletters, transactional receipts, and marketing campaigns can affect whether those emails pass DMARC authentication. DMARCeye's Q1 2026 industry report measured DMARC compliance across the top 10 email platforms by sending volume in our dataset. The spread between the highest and lowest rates we observed is over 22 percentage points, ranging from 99.9% to 77.2%.
This article unpacks the ESP compliance findings from DMARCeye's Q1 2026 industry report. Numbers reflect outcomes across the several thousand domains DMARCeye actively monitors and combine the effects of platform configuration, customer setup, and message type. The full report and methodology are linked below.
DMARC compliance measures whether an email passes at least one of two authentication mechanisms - SPF or DKIM - and whether that passing mechanism aligns with the domain in the From address. Both can pass, but DMARC only requires one. This distinction matters because some ESPs in our data show near-perfect compliance even when SPF does not pass for most of their messages. Their DKIM implementation handles authentication on its own.
You configure the DNS records, but the ESP and its customers together shape the delivery setup - servers, IP pools, signing keys, and which domain is used for the bounce address.
The platform's defaults and the customer's configuration both contribute to the compliance numbers we observe.
The DMARCeye Q1 2026 industry report ranked the top 10 email service providers by DMARC compliance rate, measured across several thousand monitored domains. The results are below, broken down by SPF and DKIM fail rates:
| ESP | Compliance | SPF Fail Rate | DKIM Fail Rate |
|---|---|---|---|
| Bird.com | 99.9% | 12.2% | 0.4% |
| Amazon | 99.8% | 3.5% | 0.5% |
| Mailjet | 99.8% | 39.1% | 0.2% |
| SendGrid | 99.7% | 0.6% | 0.5% |
| Sendinblue (Brevo) | 99.5% | 93.1% | 0.5% |
| Mailchimp | 98.9% | 89.2% | 1.3% |
| 95.8% | 26.5% | 11.1% | |
| Microsoft | 90.0% | 26.6% | 19.6% |
| Proofpoint | 78.1% | 38.9% | 26.3% |
| Mailgun | 77.2% | 24.0% | 22.9% |
The top four platforms in our dataset (Bird.com, Amazon, Mailjet, SendGrid) all exceed 99.5% compliance. At this level, authentication failures are rare. SendGrid is the only platform where both SPF and DKIM pass rates exceed 99%.
The middle of the table shows a different pattern. Sendinblue (Brevo) and Mailchimp report SPF fail rates above 89%, but their overall compliance still exceeds 98%. DKIM appears to handle authentication on its own for most of their messages in our data.
Google and Microsoft - two platforms many companies use for everyday work email - sit at 95.8% and 90.0%. Proofpoint and Mailgun appear at the bottom of the list at 78.1% and 77.2%. Read on for more information about why we might be seeing these numbers.
Sendinblue (Brevo) shows the widest split in the dataset: a 93.1% SPF fail rate paired with a 0.5% DKIM fail rate, producing 99.5% overall compliance. Mailchimp follows the same pattern, with 89.2% SPF failure, 1.3% DKIM failure, and 98.9% compliance. In both cases, DKIM appears to handle the authentication outcome on its own.
SPF tends to struggle with how marketing ESPs deliver email. SPF checks whether the sending server's IP address is listed in the sender's DNS record. Marketing ESPs typically send from large, shared IP pools that change over time. Keeping an SPF record current across dozens of sending IPs is difficult, and SPF has a hard limit of 10 DNS lookups per check. Domains using multiple services can exceed this limit, which causes the check to fail. Customer-side configuration choices, such as which domain is used for the bounce address, also affect whether SPF aligns for DMARC purposes.
DKIM does not have these limitations. DKIM attaches a cryptographic signature to the email itself. The signature travels with the message regardless of which server delivered it. When DKIM signing is set up well, the signature stays verifiable across forwarding, relay, and infrastructure changes.
The practical takeaway: when evaluating an ESP, look at whether it supports DKIM signing with your domain's key. Based on what we see in the data, SPF alone is often not enough to carry DMARC compliance for ESP-sent email.
The four lowest-ranked ESPs in our dataset can be split into two groups with different patterns.
Google (95.8%) and Microsoft (90.0%) handle most everyday work email. Their compliance rates in our data are lower than the dedicated marketing ESPs at the top of the table. Marketing ESPs typically send structured campaigns where authentication is configured once and applied across every message. Google Workspace and Microsoft 365 customers also send forwarded messages, calendar invites, shared mailbox traffic, and automated notifications alongside regular email. Each of those can follow a different authentication path and adds to the sending sources behind a domain. Microsoft's DKIM fail rate in our data is 19.6%, the third highest in this top-10 group.
Proofpoint (78.1%) and Mailgun (77.2%) appear at the bottom of the list. Unlike Sendinblue (Brevo) and Mailchimp, these platforms show fail rates in the double digits for both SPF and DKIM in our dataset. Proofpoint's DKIM fail rate of 26.3% is the highest among the top 10 ESPs we measured, and its SPF fail rate is 38.9%. When neither mechanism produces a DMARC pass for a given message, the message will not be DMARC compliant.
As the Q1 report itself notes, low compliance on a major ESP is almost always a configuration problem on the sender side, not a flaw with the provider itself. Customers haven't added the right DKIM keys to their DNS, their sending infrastructure has outgrown the SPF record, or a forgotten tool is signing with the wrong selector. This is also where the chart can mislead a casual reader who treats 77.2% as a verdict on Mailgun rather than a window into what customers are doing with it.
Compliance numbers also reflect the customer mix DMARCeye monitors and may differ from each platform's overall customer base.
If you manage email infrastructure for clients or for a large organization, this data is one input for your ESP selection. The compliance rate you experience will depend on your own configuration, not on the dataset average. Here are useful questions to ask any platform you are considering:
DKIM signing with your domain's key, or does it only sign with its own domain?DKIM enabled by default for new customers, or does it require manual configuration?SPF pass/fail, DKIM pass/fail) for your traffic?DKIM signing?The 22-point spread between the highest and lowest rates in the dataset is the difference between nearly every email reaching the inbox authenticated and roughly one in four messages not producing a DMARC pass. For domains at p=quarantine or p=reject, that has direct deliverability implications.
The ESP averages above are dataset-wide. Your domain's compliance depends on your specific configuration - how you set up SPF and DKIM, which ESP plans you use, and whether you send from shared or dedicated infrastructure. The rates you see for your own traffic may be very different from the averages above. You can check what your domain's DMARC record looks like right now:
To see compliance broken down by sending source - which ESPs are passing for your traffic and where authentication gaps appear - you need to monitor your DMARC reports over time. DMARCeye's free plan covers one domain with up to 5,000 emails per month and includes full report parsing, enough to see compliance by source and identify where to focus your authentication work.
DMARC compliance is not a DNS-only decision. The email service provider delivering your messages, together with how that platform is configured for your domain, contributes to whether SPF and DKIM produce a pass on the receiving end. The 22-point spread we observed between the highest and lowest rates in the dataset is wide enough that the choice and configuration of an ESP can be a meaningful factor in deliverability.
If you are evaluating ESPs, look at whether they support DKIM signing with your domain. If you are already sending, watch how your own traffic performs in DMARC reports. DMARCeye parses those reports and shows compliance by sending source, so you can see which platforms are passing for your domain and where to focus next.