Most security controls are invisible from the outside. You cannot query a company's EDR coverage or its patch cadence from the public internet. But one control class announces itself in DNS: phishing-simulation and security-awareness platforms. To land a simulated phish in employee inboxes with the company's own domain in the From header — and survive the company's own SPF and DMARC checks — the platform's sending infrastructure has to be authorised in the company's SPF record. That authorisation is a public TXT record anyone can read.
Our daily email infrastructure report parses the SPF records of the Tranco top-1M and attributes includes to known senders. As of the 2026-07-05 snapshot, KnowBe4 — the largest name in the category — appears in 0.56% of SPF-publishing domains, up from 0.20% in 2022. That is a 2.8× increase in four years, making security-awareness tooling one of the fastest-growing SaaS categories we can see in DNS.
The curve: security culture, measured from outside
A steady climb rather than a spike is exactly what you would expect from a control that spreads through procurement cycles: renewals, audits, cyber-insurance questionnaires, and compliance frameworks that increasingly ask for a documented awareness programme. And KnowBe4 is one datapoint in a broader pattern our scan picks up — the "SaaS density" of a domain's DNS. Email-signature management (CodeTwo, at 0.71% of SPF domains) and workflow platforms (Atlassian, 0.30%) leave the same class of fingerprint, and together they sketch a company's operational stack from public records alone, a technique we cover in our guide to reading tech stacks from TXT records.
Why the include is a meaningful signal
A phishing-training include in SPF is not just a product logo — it implies a chain of organisational facts that are individually hard to observe:
- There is a security budget line. Awareness platforms are recurring, per-seat spend that someone had to justify. Companies with no security function rarely buy them.
- Someone owns the programme. Simulations need scheduling, targeting, and follow-up training. The include is evidence of an operating process, not a one-off purchase.
- Email authentication is actively managed. Adding a vendor to SPF without breaking the 10-lookup limit, keeping DKIM and DMARC aligned around simulation traffic — these are the marks of a team that treats its DNS as configuration, not archaeology.
- Employees are a hardened target. A workforce that gets phished monthly by its own security team clicks less. For anyone modelling the difficulty of social-engineering a company, this is the single most relevant public fact.
Sales teams use the include for qualification — a security vendor selling into a KnowBe4 shop knows the buyer already funds awareness. Insurers and auditors can verify a claimed programme in one query. And attackers read it too: a trained workforce pushes them toward pretexts that simulations rarely cover, or away from email entirely. The signal is neutral infrastructure; every side of the market consumes it.
The caveats that keep the signal honest
Like every DNS-derived measurement, this one has edges worth respecting:
- Presence is not performance. The include proves the platform is authorised to send, not that campaigns actually run or that click rates improve. A stalled programme looks identical in DNS to a thriving one.
- Absence is not negligence. Some organisations run simulations through dedicated subdomains, allowlist the vendor at the gateway instead of via apex SPF, or use competing platforms our dictionary attributes separately. Our 0.56% is a floor for the category, not a ceiling.
- The measurement inherits SPF's blind spots. Flattened SPF records that inline raw IPs instead of vendor includes are unattributable to any vendor — a limitation that applies to our entire ESP dataset and that we document openly in the methodology.
Within those limits, the trend is robust: the same parsing rules applied to the same domain population, daily, for years, show the awareness-training footprint nearly tripling. Whatever one thinks of phishing simulations as a control, organisations keep buying them — and their DNS keeps saying so. The full SaaS-sender series, including KnowBe4, CodeTwo, and Atlassian, updates nightly in api/latest.json.