Defaults.Exposed

Defaults.Exposed › Reports

Cyber-Insurance and Vendor Security Questionnaires: What They Check on Your Domain (2026)

Published 2026-07-01

Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. The figures below are the internet-wide pass rate for each control a typical questionnaire asks about. See how we grade.

Cyber-insurance applications and vendor security questionnaires increasingly ask about the exact controls sitting in your public DNS — and most organisations can’t truthfully tick them. These are externally verifiable: an underwriter or a customer can check the answers without your cooperation. Across 261 million domains, only 3.87% are fully email-protected and just 0.09% have every core control locked down. Here’s what they check and where the internet actually stands.

The controls they ask about — and the real pass rates

Higher is better. Each row is a question you’ll recognise from a questionnaire, with the share of all domains that would pass it as of 2026-06-29:

What they askControlInternet passes
”Do you enforce DMARC to stop impersonation?”DMARC quarantine/reject10.59%
“Is SPF published for your sending domains?”SPF present53.21%
“Is the website served over HTTPS?”HTTPS78.02%
“Is HSTS enabled?”HSTS22.91%
“Do you serve modern TLS (1.2+)?”TLS 1.3 negotiated90.51%
“Is DNSSEC enabled?”DNSSEC valid1.99%
“Do you restrict certificate issuance (CAA)?”CAA present1.56%

The gap between “we think we’re covered” and “we can prove it” is where applications get delayed and premiums rise.

Why most organisations answer these wrong

Two failure modes dominate:

How to answer them accurately — and improve the score

  1. Check the domain first so your answers are evidence-based, not guesses. See below.
  2. Close the email gap — move DMARC to enforce on top of SPF and DKIM. This is the highest-weighted item on most questionnaires.
  3. Harden the web tierHTTPS everywhere, add HSTS, and disable legacy TLS.
  4. Add DNS integrityDNSSEC and CAA where your host supports them.
  5. Re-check before you submit so the box you tick matches what an assessor will see.

See does NIS2 require DMARC and the domain exposure score for how these controls combine.

Frequently asked questions

What domain controls do cyber-insurance questionnaires check? Most ask about DMARC enforcement, SPF, HTTPS, HSTS, TLS version, and increasingly DNSSEC and CAA — all externally verifiable from your DNS and web responses.

Can an insurer really verify my answers? Yes. These are public signals; an underwriter or customer can confirm them without access to your systems. Answering “yes” to something they can see is “no” is a bad idea.

Which control matters most? DMARC enforcement is usually the highest-weighted and the most commonly failed — only 10.59% of domains pass it. It directly addresses impersonation and invoice fraud.

How long does it take to improve? The email controls are typically an afternoon of DNS work plus a monitoring period; the web and DNS controls are configuration changes. All are free.

How do I know where I stand? Run a free, private check of your own domain (below) — it maps directly to these questionnaire items.

Check your domain against the questionnaire free

See exactly which controls you’d pass and which you’d fail — privately, and owner-only.

Check your domain → · Fix DMARC → · Does NIS2 require DMARC? → · How we grade → · Aggregate data only. Data stored and processed in the EU.