Defaults.Exposed › Reports
The Domain Exposure Score: Most Domains Have 1 of 5 Basic Protections (2026)
Published 2026-06-29
Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. The exposure score counts how many of five core protections a domain has in place: SPF, an enforcing DMARC policy, DNSSEC, HTTPS, and HSTS (0 = none, 5 = all). See how we grade.
Pick any five basic protections, score every domain on the internet out of five, and the typical result is one — maybe two. Across 261 million domains, 8.8% have none of the five, the bulk cluster at one or two, and just 0.09% have all five. The exposure curve is not a bell with a healthy middle — it’s piled up at the bottom.
The exposure curve
Number of the five core protections (SPF · enforcing DMARC · DNSSEC · HTTPS · HSTS) a domain has in place. As of 2026-06-29:
| Protections in place | Share of domains | |
|---|---|---|
| 0 — fully exposed | 8.8% | 23,105,485 domains |
| 1 | 37.2% | |
| 2 | 39.7% | |
| 3 | 12.0% | |
| 4 | 2.1% | |
| 5 — fully locked down | 0.09% | 247,054 domains |
Two numbers tell the story: 8.8% score zero — no email authentication, no encryption, nothing — and only 0.09% get everything right. The most common outcome is one or two protections, almost always HTTPS (now widespread) plus, at best, an unenforced SPF. The controls that actually stop attacks — enforced DMARC, DNSSEC, HSTS — are where nearly everyone falls short.
Why the curve sits so low
It’s the same root cause across every layer: these protections are off by default and have to be switched on deliberately. HTTPS climbed because hosts and CDNs started enabling it automatically — so it’s the one protection most domains have. The other four still require an owner to know they exist and act:
- HTTPS is common because it became a default.
- SPF is half-adopted but usually too weak to matter without DMARC.
- Enforced DMARC, DNSSEC and HSTS all require a deliberate step almost nobody takes — so the score stalls at one or two.
Nothing here is expensive. The gap between a 1 and a 5 is a few configuration changes, all free. The barrier is awareness, not cost.
Where do you sit on the curve?
Most owners assume they’re a 3 or 4 and are surprised to find they’re a 1 — an HTTPS site whose email anyone can forge. The only way to know your score is to check. Moving up the curve is the highest-leverage security work most small businesses can do, and it’s free.
Frequently asked questions
What is a good domain security baseline? Having all five of SPF, enforced DMARC, DNSSEC, HTTPS and HSTS — the “5 of 5” that only 0.09% of domains reach. A realistic near-term target for most businesses is enforced email authentication (SPF + DMARC) plus valid HTTPS.
What does “fully exposed” mean? A domain with none of the five protections — no email authentication, no encryption, no DNS or transport hardening. 8.8% of domains are in this state.
Why do most domains only have one or two protections? Usually HTTPS (now a common default) and at most an unenforced SPF. The protections that require a deliberate manual step — enforced DMARC, DNSSEC, HSTS — are skipped by the large majority.
How do I improve my score? Enforce DMARC, ensure valid HTTPS, add HSTS, and consider DNSSEC. All are free configuration changes. Check your domain to see which you’re missing.
See your exposure score
Find out how many of the five you have — and exactly how to close the gaps — privately and free.
Check your domain → · Can someone spoof your domain? → · The State of Domain Security 2026 → · Aggregate data only. Data stored and processed in the EU.