How the US Trucking Email Security Index is built.

The source for all carrier records is the FMCSA Company Census File — the official federal registry of active US motor carriers maintained by the Federal Motor Carrier Safety Administration. The file was downloaded on 2026-05-20. It contains 4,437,569 records in total, of which 2,192,304 have an active carrier status at the time of download.

FMCSA is the authoritative public registry for US motor carrier identity. We use it rather than commercial data sources because it is the only complete, publicly-attributable record of who is legally authorized to operate as a motor carrier in the United States.

We extracted the email domain from the carrier contact record for every active carrier. The raw extraction produces a large number of domains that a carrier does not control — and cannot configure for email security. We applied two exclusion passes to remove them.

First pass: we excluded free consumer email providers — Gmail, Yahoo, Outlook, Hotmail, AOL, iCloud, and similar — where the carrier has no ability to publish DNS records on behalf of the domain. A carrier using gmail.com as its business address cannot configure DMARC for gmail.com, and measuring gmail.com's DMARC posture would not reflect the carrier's security posture.

Second pass: we excluded ISP, cable, and telecom domains — including Comcast, Charter, Spectrum, AT&T, Bell South, Frontier, and similar — for the same reason. A carrier using an ISP-issued email address does not own that domain and cannot configure its DNS.

After both exclusion passes, the working set is 307,688 unique company-controlled business domains, representing 393,312 active carriers. These are the only domains where the carrier has meaningful ability to deploy or fail to deploy email authentication controls.

For each domain in the working set we queried public DNS records only. No carrier system was accessed, probed, logged into, or contacted in any way. Every data point in the Index is publicly observable by any party with a DNS resolver.

We recorded the following records for each domain:

• SPF policy — the TXT record publishing the authorized sending policy and its enforcement mode (~all, -all, ?all, or absent).
• DMARC policy — the TXT record at the _dmarc subdomain and its p= value (none, quarantine, reject, or absent).
• Mail provider — derived from MX record hostnames, classified into Microsoft 365, Google Workspace, self-hosted, and other managed providers.
• DNSSEC — delegation signing records indicating whether the domain is signed.
• MTA-STS — TXT record at _mta-sts indicating whether the domain has published an SMTP transport security policy.
• TLS-RPT — TXT record at _smtp._tls indicating whether the domain has published a TLS reporting address.
• BIMI — TXT record at default._bimi indicating whether the domain has published a brand indicator for message identification.

These are the same public checks used by any standard email security assessment tool. Results are reproducible by any researcher with access to a public DNS resolver.

DMARC "enforced" — We count DMARC as enforced only when the policy is p=quarantine or p=reject. A policy of p=none is monitor-only: it instructs receiving servers to take no protective action on failing messages and provides no protection against email impersonation. We count p=none with the unprotected group throughout the Index.

Dead domains — A domain that returned no DNS records at the time of measurement was classified as dead or unregistered. Dead domains are excluded from configuration percentages (SPF coverage, DMARC enforcement rates, provider market share) because computing a security posture for a domain with no DNS presence is not meaningful. Dead domains are reported separately as a distinct finding: they represent carriers whose listed email domain has lapsed, creating both an operational risk and an impersonation opening.

Carrier count vs. domain count — The Index reports both domain-level and carrier-level figures. Multiple carriers may share a single domain (e.g., carriers under a common fleet management entity). Where both counts are available, domain-weighted percentages are primary because they reflect the DNS surface being measured; carrier counts are secondary aggregates.

DKIM is not measured. Valid DKIM selectors cannot be enumerated from outside a domain — there is no standard DNS record that lists active selectors. DKIM deployment is therefore not reported in the Index. This makes all figures conservative: a domain may have DKIM configured even if it lacks DMARC enforcement, but absent DMARC enforcement DKIM alone does not prevent impersonation.

Domain on file may differ from primary domain. The email domain on record with FMCSA may not match the carrier's primary marketing, invoicing, or dispatch domain. Some carriers list an administrative address that is distinct from the domain they use for daily freight communications. We cannot resolve this gap without access to carrier-internal records.

Provider classification is pattern-based. Mail provider assignment is derived from MX hostname patterns. Carriers using white-label or reseller configurations may be classified as self-hosted when they are actually on a managed platform. This means the self-hosted and unidentified share may be overstated relative to the true managed-platform share.

These limitations make our figures conservative in aggregate: the true rate of misconfigured or missing email authentication across US motor carriers is likely higher than the figures we report, not lower.