We Graded 200 YC W26 Companies on Email Security. Only 23% Got an A.

2 min read Original article ↗

23%

Got an A

Full auth triad enforcing

70%

No DMARC enforcement

Domain can be spoofed

51%

Missing records

Graded C, D, or F

12%

Zero auth

No SPF, DKIM, or DMARC

How we graded

No curve. No bonus points. Either you have SPF, DKIM, and DMARC configured and enforcing, or you don't.

The results

200 domains scanned. 6 days after Demo Day. These companies are actively emailing investors, customers, and partners.

A

45 companies (23%)SPF + DKIM + DMARC enforcing

B

54 companies (27%)All present, not enforcing

C

38 companies (19%)Missing one record

D

40 companies (20%)Missing two records

F

23 companies (12%)No auth or critical failure

89% use Google Workspace

Google makes DKIM and DMARC setup easy. A few clicks in the Admin console, two DNS records, done.

Most just never turned it on.

DMARC policy breakdown

DMARC tells receiving servers what to do with emails that fail authentication. Without it, or with policy=none, spoofed emails get delivered like normal.

Your DMARC Policy is Useless

Why policy=none provides zero protection, and how to get to reject.

So what?

Without DMARC enforcement, a spoofed email from your domain won't get blocked by the receiving server. It might still land in spam depending on the provider's own heuristics, but there's no policy telling it to reject. That's the gap.

The less obvious cost is to your own deliverability. Google and Yahoo now factor DMARC, DKIM, and SPF into inbox placement decisions. A domain with no enforcement doesn't just fail to block spoofing. It also makes your real emails look less trustworthy.

Check your grade

Free and open source. Same grading system used in this audit.

Methodology

Tool: npx mail-audit (open source, public DNS queries only)

Source: YC W26 batch via ycombinator.com and extruct.ai (200 domains)

Date: March 30, 2026 (6 days after Demo Day)

Grading: Auth triad-based. A = all 3 + DMARC enforcing. B = all 3 present. C = missing 1. D = missing 2. F = missing all.

Flags: --quick --skip-blacklists --skip-tls for batch speed. Full audits check additional signals.

Valid results: 200/200 (100%)