Defaults.Exposed

Defaults.Exposed › Scope of Service

Scope of Service

Last updated: 2026-07-04 · Version: 1.0 (canonical; scheduled external legal/accountant review 2026-09-04)

Incorporated into the Terms of Service. Where this disclaimer and the Terms address the same point, they are intended to be read consistently; the Terms govern if there is any conflict.


The short version


1. What we assess

Every assessment examines the externally observable configuration of a domain, readable from the public internet:

We grade these against a single, published methodology — the same engine and rubric behind the free scan, the census, and every paid tier. That means the method is consistent across them; it does not guarantee identical results, because scans run at different times, from different vantage points, and configurations change between them. Every assessment is stamped with the rubric version it was run under, and every paid order pins that rubric version at purchase — so you can see exactly which rubric produced a grade, and any guarantee is judged against the version you bought, not a moving target.


2. What we do NOT do

An assessment is not, and must not be relied on as:

We see only what the public internet reveals. Where a report says something like “no DKIM found,” it means at the selectors we tested — a key may exist under a custom selector we did not probe. The same “observed from public records” caveat applies to every finding.


3. Point-in-time, and things change

An assessment reflects the domain’s configuration at the moment it ran. Configurations change — a later edit can raise or lower your true risk without us knowing, unless you hold an active Monitor or Fully Managed subscription (or a Grand Slam year), which is exactly what those tiers are for.


4. Security is probabilistic — a grade is not a warranty

Correctly configured email authentication (SPF, DKIM, DMARC at enforcement) makes it far harder for anyone to forge mail from your exact domain. That is a real, specific benefit — and it is the precise limit of what a grade buys you. Improving your grade does not:

In particular, a passing grade does not stop the most common real-world fraud routes: a look-alike domain (mail sent from a domain that merely resembles yours), display-name spoofing, or a compromised mailbox (mail sent from your genuine account by someone who has taken it over). Email authentication protects your exact domain; it does not police those other paths, and neither does any grade we issue. A high grade closes a major, common door — it does not remove every door. Where our sales pages describe wire-fraud or impersonation losses, read them alongside this section: they explain why domain forgery matters, not a promise that a grade prevents every kind of fraud.


5. About the numbers we cite

Figures on the site and in reports about industry losses, average fraud amounts, or the share of exposed domains are published-research context to explain why this matters. They are not a prediction about your specific business, a quantification of your risk, or a promise about your outcome.

Where they come from:

Two rules govern how these numbers appear, so this disclaimer never has to cure an unsupported claim on its own:


6. What “signed, timestamped and verifiable” means

Every sealed deliverable — the Security Dossier, each monthly Monitor certificate, and each yearly Grand Slam re-certification — is processed the same way: the evidence bundle is canonicalised and hashed (SHA-256), signed with our Ed25519 signing key (the public key is published on the verify page), and independently timestamped twice — by a third-party RFC 3161 timestamp authority and by OpenTimestamps (anchored to the Bitcoin blockchain) as a second, independent anchor. Each sealed deliverable has a public verification page at /verify/<id> that anyone can use, forever, without an account. (The A-Grade Playbook is deliberately not sealed — it is advice, not evidence.)

These seals let anyone confirm two things, and only these two things:

  1. Integrity — the specific document we issued has not been altered since we issued it.
  2. Observationwhat the domain’s publicly observable state was at the recorded time.

They do not make the document a legal opinion, an accreditation, a compliance certification, an insurance certificate, or a statement about anything we didn’t observe. We describe such records as tamper-evident and independently verifiable — the evidence is signed and independently timestamped so anyone can verify it hasn’t been altered and that it existed at the stated time. Whether any document is admissible or persuasive in a legal process is for a court to decide, and we make no claim about that.


7. No professional-adviser relationship

Using the Services does not create a professional-adviser, fiduciary, or consultant-client relationship beyond the specific service purchased. For decisions with legal, regulatory, insurance, or material financial consequences, take advice from a suitably qualified professional. We sell business-first, to domain owners, from Defaults Exposed FZ-LLC, a UAE free-zone company — but consumer purchases are accepted, and nothing in this disclaimer removes any mandatory right consumer-protection law in your own country gives you.


8. Access prerequisites for done-for-you services

For Fix It For Me, the Grand Slam, and Fully Managed, work starts only after we confirm your domain is reachable — meaning we can work with whoever controls your DNS, registrar, and mail platform. We never ask for or accept passwords or credentials; access is by DNS delegation or guided change only.

If your registrar, DNS provider, or mail platform cannot support a required record or configuration (e.g. DNSSEC, CAA), or if you decline to grant the access the work requires, we explain the constraint before you pay and route you to the appropriate guarantee outcome rather than taking money for a result we cannot deliver. See the Refund & Guarantee Policy §4.3.