We graded 200 YC W26 companies on email security – only 23% got an A

wraps.dev · stewartjarod · 12 days ago · view on HN · research
quality 7/10 · good
0 net
Tags
google
We Graded 200 YC W26 Companies on Email Security | Wraps 23% Got an A Full auth triad enforcing 70% No DMARC enforcement Domain can be spoofed 51% Missing records Graded C, D, or F 12% Zero auth No SPF, DKIM, or DMARC How we graded No curve. No bonus points. Either you have SPF, DKIM, and DMARC configured and enforcing, or you don't. Grade What it means A SPF + DKIM + DMARC enforcing (quarantine or reject) B All three records present, but DMARC not enforcing (policy=none) C Missing one of the three core records D Missing two of the three core records F Missing all three, or critical failure like SPF +all The results 200 domains scanned. 6 days after Demo Day. These companies are actively emailing investors, customers, and partners. A 45 companies ( 23 %) SPF + DKIM + DMARC enforcing B 54 companies ( 27 %) All present, not enforcing C 38 companies ( 19 %) Missing one record D 40 companies ( 20 %) Missing two records F 23 companies ( 12 %) No auth or critical failure 89% use Google Workspace Google makes DKIM and DMARC setup easy. A few clicks in the Admin console, two DNS records, done. Most just never turned it on. DMARC policy breakdown DMARC tells receiving servers what to do with emails that fail authentication. Without it, or with policy=none, spoofed emails get delivered like normal. Policy Count % No DMARC record 75 38% p=none (monitor only) 64 32% p=quarantine 45 23% p=reject (full enforcement) 16 8% Your DMARC Policy is Useless Why policy=none provides zero protection, and how to get to reject. So what? Without DMARC enforcement, a spoofed email from your domain won't get blocked by the receiving server. It might still land in spam depending on the provider's own heuristics, but there's no policy telling it to reject. That's the gap. The less obvious cost is to your own deliverability. Google and Yahoo now factor DMARC, DKIM, and SPF into inbox placement decisions. A domain with no enforcement doesn't just fail to block spoofing. It also makes your real emails look less trustworthy. Check your grade Free and open source. Same grading system used in this audit. Check Your Grade npx mail-audit yourdomain.com Methodology Tool: npx mail-audit (open source, public DNS queries only) Source: YC W26 batch via ycombinator.com and extruct.ai (200 domains) Date: March 30, 2026 (6 days after Demo Day) Grading: Auth triad-based. A = all 3 + DMARC enforcing. B = all 3 present. C = missing 1. D = missing 2. F = missing all. Flags: --quick --skip-blacklists --skip-tls for batch speed. Full audits check additional signals. Valid results: 200/200 (100%)
← Back to stories