Most SaaS vendors prove that you own a domain by having you publish a TXT record at
the apex (e.g. google-site-verification=…). Those tokens stay in DNS
long after onboarding, so by sweeping the apex TXT records of the Tranco top-1M we
can map which SaaS products each domain has integrated. Unlike SPF, this catches
apps that don't send mail at all (Notion, Figma, 1Password, Zoom…), which makes it
an excellent complement to the SPF-based ESP map.
Top 30 SaaS vendors ranked by the number of Tranco top-1M domains that publish their verification TXT.
How many distinct SaaS vendors does each domain integrate? A long tail of SaaS-heavy domains tends to correlate with mid-to-large enterprises with many vendor relationships.
Cell value = number of domains in that region using that vendor. Region is derived from TLD; "Global" is the bucket for gTLDs.
A domain can publish a Google verification token (productivity: Drive, Calendar, Search Console) without routing mail through Google — and vice versa. The intersection of the two signals tells us about the depth of each integration.
| Vendor | Token only (productivity / non-mail) |
Both (full integration) |
SPF only (mail-only) |
|---|
Source: OpenINTEL forward-DNS Tranco snapshot (2026-07-13).
Parser: parsers/saas_tokens.py. Token dictionary:
dictionaries/verification_tokens.py. The dictionary is hand-curated —
contributions for additional patterns are welcome. Lower-bound figures: SaaS that
don't require a verification TXT (or use _-prefixed subdomains for verification)
are not visible here.