Two vendors sign more than half of all the mail in our Q1 2026 dataset. Klaviyo's signature appears on 30.5% of the email we could trace to a vendor. Amazon SES shows up on another 27.9%. That's 58.4% from two vendors. Everyone else, including SendGrid, Google, Mailchimp, Microsoft, Mailgun, SparkPost, Yotpo, HubSpot, Mailjet, and the long tail of customer-specific signing domains, splits the rest. If you send marketing or transactional email for your business, the odds are good that your messages travel through one of these pipes, and how those vendors handle authentication shapes whether your real mail lands in inboxes or spam.
This article unpacks the vendor-concentration finding from DMARCeye's Q1 2026 industry report. The full report, with all 12 chart views and methodology, is below.
We grouped each message by who handled it. Every outgoing email carries a digital signature from the vendor that sent it. Mail signed by klaviyomail.com came from Klaviyo. Mail signed by mcsv.net came from Mailchimp. Here are the top 12, plus a catch-all bucket for brands using their own signing domains, smaller regional vendors, and in-house mail systems:
Two things. First, this is a steep distribution. The top 2 sign 58%; the next 9 vendors combined sign about 17%. Second, the "Other" bucket at 24.3% is mostly customer-controlled signing domains, which means a meaningful slice of mail is being signed by domains the receiver can't roll up to a brand. DKIM grouping by signature works for the big-name vendors but blurs everything in the long tail, where domains sign with their own custom names.
The Q1 data shows the concentration; it doesn't tell us why any specific brand picks Klaviyo or Amazon SES. Treat the patterns below as informed guesses, not findings:
The numbers reflect Q1 2026 volume signed through DKIM-identifiable domains. Any one brand's mix will look different from the average.
Inside these numbers, there's a more useful pattern: most vendors reach 99% DMARC compliance not by passing both SPF and DKIM, but by leaning on DKIM to do the work when SPF stumbles.
Mailchimp is the cleanest example: their SPF fails 89.2% of the time, yet their DMARC pass rate is still 98.9%. DKIM picks up the slack. At the other end, Mailgun's DKIM fails 22.9% of the time, which drags total compliance down to 77%. When DKIM struggles, nothing else compensates.
If you send through any of these vendors, DKIM is doing most of the work. Your SPF record probably isn't aligned to the sending IP for a meaningful share of your outbound, and you may not have noticed because DKIM saves the message.
If your real mail is leaning on DKIM to pass authentication, the obvious next question is whether DKIM is actually set up correctly for your domain. Type your domain below and the check will look up your published DKIM record and tell you what it finds.
If your marketing email goes through Klaviyo, your transactional through SES (or both), and you've never explicitly authenticated those services for your domain, do a basic check:
klaviyomail.com and Amazon SES signs with their own domain. Both can be set up to sign with your domain instead, and this is what makes DMARC pass. If the signature stays on the vendor's domain, your mail fails DMARC for that sender.The fix itself is small: vendor docs walk you through the SPF and DKIM steps, and most vendors publish copy-paste instructions. The harder problem is knowing which services are sending mail as you in the first place. DMARCeye's free plan covers one domain and shows you every service signing as you, in your aggregate reports, week by week. Two to four weeks of data is usually enough to spot the senders you forgot about.
If you're in the 24% "Other" bucket, you probably set up your own DKIM signing or use a smaller regional email vendor. The top-vendor concentration story doesn't apply directly, but the underlying lesson does: DMARC aggregate reports are the only way to see what's actually being sent in your name. The first time you read a real report from a domain you thought you understood, expect to find at least one sender you'd forgotten about, and at least one configured wrong.
Our complete DMARC implementation guide covers the full process from "no record" to enforced policy. Google and Yahoo's February 2024 sender rules add additional context for senders above 5,000 messages per day.
Two vendors carry most of the mail in our Q1 2026 dataset. If you send marketing or transactional email, the odds are good your messages flow through one of them. And whichever vendors you use, your authentication is probably leaning on DKIM while SPF stumbles along. None of this is fatal: DMARC compliance can be high while SPF fails most of the time, because DKIM survives where SPF doesn't. But "high compliance" hides "I have no idea what my domain is doing." The path out is the same path it always was: read your reports, document your senders, fix the unauthenticated ones.