Defaults.Exposed › Reports
Cyber-Insurance and Vendor Security Questionnaires: What They Check on Your Domain (2026)
Published 2026-07-01
Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. The figures below are the internet-wide pass rate for each control a typical questionnaire asks about. See how we grade.
Cyber-insurance applications and vendor security questionnaires increasingly ask about the exact controls sitting in your public DNS — and most organisations can’t truthfully tick them. These are externally verifiable: an underwriter or a customer can check the answers without your cooperation. Across 261 million domains, only 3.87% are fully email-protected and just 0.09% have every core control locked down. Here’s what they check and where the internet actually stands.
The controls they ask about — and the real pass rates
Higher is better. Each row is a question you’ll recognise from a questionnaire, with the share of all domains that would pass it as of 2026-06-29:
| What they ask | Control | Internet passes |
|---|---|---|
| ”Do you enforce DMARC to stop impersonation?” | DMARC quarantine/reject | 10.59% |
| “Is SPF published for your sending domains?” | SPF present | 53.21% |
| “Is the website served over HTTPS?” | HTTPS | 78.02% |
| “Is HSTS enabled?” | HSTS | 22.91% |
| “Do you serve modern TLS (1.2+)?” | TLS 1.3 negotiated | 90.51% |
| “Is DNSSEC enabled?” | DNSSEC valid | 1.99% |
| “Do you restrict certificate issuance (CAA)?” | CAA present | 1.56% |
The gap between “we think we’re covered” and “we can prove it” is where applications get delayed and premiums rise.
Why most organisations answer these wrong
Two failure modes dominate:
- “Published” mistaken for “enforcing.” A domain with a
p=noneDMARC record or a soft SPF looks configured but blocks nothing — an honest answer is “no.” Only 10.59% actually enforce DMARC. - No single owner. DNS, email and web are often managed by different teams or vendors, so no one can vouch for the whole set. It shows: 8.8% of domains have none of the core controls in place, fully exposed.
How to answer them accurately — and improve the score
- Check the domain first so your answers are evidence-based, not guesses. See below.
- Close the email gap — move DMARC to enforce on top of SPF and DKIM. This is the highest-weighted item on most questionnaires.
- Harden the web tier — HTTPS everywhere, add HSTS, and disable legacy TLS.
- Add DNS integrity — DNSSEC and CAA where your host supports them.
- Re-check before you submit so the box you tick matches what an assessor will see.
See does NIS2 require DMARC and the domain exposure score for how these controls combine.
Frequently asked questions
What domain controls do cyber-insurance questionnaires check? Most ask about DMARC enforcement, SPF, HTTPS, HSTS, TLS version, and increasingly DNSSEC and CAA — all externally verifiable from your DNS and web responses.
Can an insurer really verify my answers? Yes. These are public signals; an underwriter or customer can confirm them without access to your systems. Answering “yes” to something they can see is “no” is a bad idea.
Which control matters most? DMARC enforcement is usually the highest-weighted and the most commonly failed — only 10.59% of domains pass it. It directly addresses impersonation and invoice fraud.
How long does it take to improve? The email controls are typically an afternoon of DNS work plus a monitoring period; the web and DNS controls are configuration changes. All are free.
How do I know where I stand? Run a free, private check of your own domain (below) — it maps directly to these questionnaire items.
Check your domain against the questionnaire free
See exactly which controls you’d pass and which you’d fail — privately, and owner-only.
Check your domain → · Fix DMARC → · Does NIS2 require DMARC? → · How we grade → · Aggregate data only. Data stored and processed in the EU.