By Cargo / Grain / Feed
Grain / Feed Carriers — Email Security
79.1% of active grain / feed carrier domains have no enforced DMARC — leaving this segment open to email impersonation, payment-redirect fraud, and cargo theft via phishing.
No enforced DMARC
79.1%
national: 80.1%
p=reject
8.9%
national: 7.5%
Microsoft 365
33.8%
national: 38.1%
M365 + no DMARC (carriers)
4,333
national: 92,822
MTA-STS
4.4%
national: 3.3%
DNSSEC
6.3%
national: 6.1%
Dead domains
974
of 16,082 scanned
Total carriers
26,271
974 with dead domain
Risk bands — Grain / Feed carriers
Carrier counts by risk band (composite email-security pain score). Critical = score 70+; Minimal = score <15.
| Risk band | Score range | Carriers | Domains |
|---|---|---|---|
| Critical | score 70+ | 1,993 | 1,500 |
| High | score 50–69 | 8,119 | 4,948 |
| Medium | score 30–49 | 10,181 | 6,195 |
| Low | score 15–29 | 4,796 | 2,319 |
| Minimal | score <15 | 208 | 146 |
Grain / Feed vs. national average
What the Grain / Feed numbers actually mean
Segment exposure framing. Grain and feed moves on commodity-price and harvest-window timing — payment-redirect attacks target the elevator-to-mill payment leg specifically, where settlement happens fast and verification windows are tight.
DMARC posture. The grain / feedsegment's share of carrier domains with no enforced DMARC sits at 79.1% — within 1.0 points of the national average. Grain / Feed carriers adopt enforced p=reject DMARC at a meaningfully higher rate than the national pool. At the protective end of the distribution, 8.9% of segment domains are at p=reject — the only DMARC policy that actually instructs receivers to drop spoofed mail.
Microsoft 365 surface. Microsoft 365 mailflow adoption sits below the national rate, which shifts the remediation surface toward self-hosted and Google Workspace estates where DMARC has to be configured at the DNS layer rather than flipped on in a tenant policy. That share is 16.5% of all grain / feed carriers — a one-flag-flip remediation set that segment-specific MSPs can clear in a single quarter without touching DNS infrastructure.
Transport encryption. MTA-STS adoption — the encrypted-transport policy that prevents DNS-downgrade interception — runs above the national rate, but the absolute floor is still under 9%, well short of where freight payment flows should sit. DNSSEC adoption across grain / feed carriers runs at 6.3% (vs 6.1% national).
Risk-band shape. Grain / Feed's critical-band share is 7.6% versus 8.4% nationally, with the pressure shifting into the high band (30.9% of segment carriers) where one or two control gaps still leave room for impersonation.
Best-practice control for this segment. Grain elevators and feed buyers should bake DMARC verification into every new carrier onboarding alongside DOT and insurance verification.
Compare Grain / Feed with other cargo segments
Segments closest in carrier-count rank to Grain / Feed. Each is scored on the same DNS-derived control set, so the comparison is apples-to-apples.
See where your own domain stands
The research is free and self-serve. Run the same public checks on your own domain in about a minute — SPF, DKIM, DMARC, MTA-STS, DNSSEC, and more — and get a scored report by email. No agents, no credentials.
Data as of 2026-05-20 from public DNS measurements. Statistics are domain-weighted unless noted. Cargo segment membership is based on FMCSA Company Census cargo flags. Methodology: read the full index.