Security7 min read

KnowBe4 in Your SPF: Phishing-Training Adoption as a Security-Maturity Signal

Security-awareness training leaves a public fingerprint: to deliver simulated phishing as your domain, the platform must live in your SPF record. KnowBe4's footprint in the Tranco top-1M has grown 2.8× in four years, from 0.20% to 0.56% of SPF-publishing domains — a security-culture trend you can read straight out of DNS.

Most security controls are invisible from the outside. You cannot query a company's EDR coverage or its patch cadence from the public internet. But one control class announces itself in DNS: phishing-simulation and security-awareness platforms. To land a simulated phish in employee inboxes with the company's own domain in the From header — and survive the company's own SPF and DMARC checks — the platform's sending infrastructure has to be authorised in the company's SPF record. That authorisation is a public TXT record anyone can read.

Our daily email infrastructure report parses the SPF records of the Tranco top-1M and attributes includes to known senders. As of the 2026-07-05 snapshot, KnowBe4 — the largest name in the category — appears in 0.56% of SPF-publishing domains, up from 0.20% in 2022. That is a 2.8× increase in four years, making security-awareness tooling one of the fastest-growing SaaS categories we can see in DNS.

The curve: security culture, measured from outside

0%0.20%0.40%20172018201920202021202220232024202520260.56%KnowBe4
KnowBe4 share of Tranco top-1M domains with SPF records, 2016–2026. Source: our daily OpenINTEL-based scan of the Tranco top-1M.

A steady climb rather than a spike is exactly what you would expect from a control that spreads through procurement cycles: renewals, audits, cyber-insurance questionnaires, and compliance frameworks that increasingly ask for a documented awareness programme. And KnowBe4 is one datapoint in a broader pattern our scan picks up — the "SaaS density" of a domain's DNS. Email-signature management (CodeTwo, at 0.71% of SPF domains) and workflow platforms (Atlassian, 0.30%) leave the same class of fingerprint, and together they sketch a company's operational stack from public records alone, a technique we cover in our guide to reading tech stacks from TXT records.

Why the include is a meaningful signal

A phishing-training include in SPF is not just a product logo — it implies a chain of organisational facts that are individually hard to observe:

  • There is a security budget line. Awareness platforms are recurring, per-seat spend that someone had to justify. Companies with no security function rarely buy them.
  • Someone owns the programme. Simulations need scheduling, targeting, and follow-up training. The include is evidence of an operating process, not a one-off purchase.
  • Email authentication is actively managed. Adding a vendor to SPF without breaking the 10-lookup limit, keeping DKIM and DMARC aligned around simulation traffic — these are the marks of a team that treats its DNS as configuration, not archaeology.
  • Employees are a hardened target. A workforce that gets phished monthly by its own security team clicks less. For anyone modelling the difficulty of social-engineering a company, this is the single most relevant public fact.
Who reads this signal

Sales teams use the include for qualification — a security vendor selling into a KnowBe4 shop knows the buyer already funds awareness. Insurers and auditors can verify a claimed programme in one query. And attackers read it too: a trained workforce pushes them toward pretexts that simulations rarely cover, or away from email entirely. The signal is neutral infrastructure; every side of the market consumes it.

The caveats that keep the signal honest

Like every DNS-derived measurement, this one has edges worth respecting:

  • Presence is not performance. The include proves the platform is authorised to send, not that campaigns actually run or that click rates improve. A stalled programme looks identical in DNS to a thriving one.
  • Absence is not negligence. Some organisations run simulations through dedicated subdomains, allowlist the vendor at the gateway instead of via apex SPF, or use competing platforms our dictionary attributes separately. Our 0.56% is a floor for the category, not a ceiling.
  • The measurement inherits SPF's blind spots. Flattened SPF records that inline raw IPs instead of vendor includes are unattributable to any vendor — a limitation that applies to our entire ESP dataset and that we document openly in the methodology.

Within those limits, the trend is robust: the same parsing rules applied to the same domain population, daily, for years, show the awareness-training footprint nearly tripling. Whatever one thinks of phishing simulations as a control, organisations keep buying them — and their DNS keeps saying so. The full SaaS-sender series, including KnowBe4, CodeTwo, and Atlassian, updates nightly in api/latest.json.

FAQ

Why does a phishing-training platform need to be in my SPF record?

Simulated phishing is most realistic when it arrives as your own domain and passes your own authentication checks — otherwise your mail filters block the simulation before employees ever see it. Authorising the platform's senders in SPF (and aligning DKIM) is the standard deployment, which is why adoption is visible in public DNS.

How fast is KnowBe4 adoption growing in the top-1M?

In our Tranco top-1M scan, KnowBe4 appears in 0.56% of SPF-publishing domains as of the 2026-07-05 snapshot, up from 0.20% in 2022 — a 2.8× increase in four years. The series updates daily in our public dataset.

Is it a security risk that my training vendor is visible in DNS?

It is a disclosure, not a vulnerability. An attacker learns your workforce receives simulations and may adjust pretexts accordingly, but the same record tells them the workforce is trained — on balance, most practitioners consider the deterrent worth more than the disclosure. If it concerns you, deploying simulations via a dedicated subdomain narrows the visible surface.

Can I use this signal to assess a vendor's or partner's security maturity?

As one input, yes. A phishing-training include implies budget, ownership, and managed email authentication — all positive indicators. But absence proves little (alternative deployments exist), and presence says nothing about programme quality, so treat it as a prior to verify, not a verdict.
Related reading
Found this useful? Share it
AB
About the author
Artem Berezin
B2B Deliverability Specialist

B2B deliverability specialist with 5+ years of hands-on outreach experience. Built campaigns reaching 90,000+ inboxes across 20+ countries — and fixed the deliverability problems that came with that scale.

Check your deliverability across 20+ providers

Gmail, Outlook, Yahoo, Mail.ru, Yandex, GMX, ProtonMail and more. Real inbox screenshots, SPF/DKIM/DMARC, spam engine verdicts. Free, no signup.

Run Free Test →

Unlimited tests · 20+ seed mailboxes · Live results · No account required