Defaults.Exposed › Reports
How We Graded the Entire Internet: The A–F Domain Security Methodology (2026)
Published 2026-06-28
Reference page · methodology v7 · data as of 2026-06-28. This page explains how every figure on this site is produced. All published statistics are aggregate; an individual domain’s grade is shown only to its verified owner.
Defaults.Exposed grades domains from A+ to F based on 34 externally observable security checks, scored entirely from the public internet — without ever touching anyone’s systems. This page is the full, plain-English account of how that works: what we measure, how a grade is calculated, what the data can and cannot tell you, and the ethical rules we hold ourselves to. It is deliberately transparent, because a security grade is only as trustworthy as the method behind it.
What we measure
Every domain is assessed against 34 checks grouped into five categories. Each check is something anyone could observe from outside — there is no scanning of private systems, no login, no intrusion.
- Email authentication — can this domain be impersonated in email? Includes SPF, DKIM, DMARC (and whether DMARC is actually at enforcement), and the mail (MX) setup.
- TLS & certificates — is the site encrypted properly? Includes certificate validity and hostname match, modern TLS versions, and HSTS.
- Web security headers — does the site defend the browser? Includes Content-Security-Policy, anti-clickjacking (X-Frame-Options), MIME-sniffing protection, Referrer-Policy and cross-origin headers.
- DNS — is the naming layer hardened? Includes DNSSEC, CAA, and nameserver configuration.
- Infrastructure — supporting signals such as reverse DNS and IPv6 support.
Of the 34 checks, a subset are scored (they affect the grade) and the rest are informational (reported for context but not penalised).
How a check is scored: pass, fail, or N/A
Each check resolves to one of three outcomes:
- Pass — the protection is present and correct.
- Fail — the protection is missing or broken. A real failure is a real failure: a domain with no enforced SPF and DMARC scores poorly because it can genuinely be spoofed, not because of how we counted.
- N/A — the check genuinely cannot be determined for this domain. N/A results are excluded from the grade; they never count against a domain.
This last point matters: we do not punish a domain for something we couldn’t fairly assess.
How the letter grade is calculated
Grades run A+, A, B, C, D, F. The grade reflects how completely a domain closes the gaps that matter — weighted toward the checks with the biggest real-world impact (email spoofing and transport security carry more weight than cosmetic headers). A domain that gets the high-impact fundamentals right and leaves only minor gaps lands high; a domain that fails the basics that allow it to be impersonated lands at F.
Because the same method is applied identically to every domain, grades are comparable across the whole population — which is what makes the league tables (by TLD, country, and industry) meaningful.
How big is the dataset?
We track an inventory of 333 million domains and grade the live population of around 260 million that currently resolve. Published statistics are computed from this population at build time and carry the dataset’s as-of date so you always know how current a figure is.
How current is the data?
The scanning fleet runs continuously. The full population is refreshed on a regular cadence, with some TLDs re-measured more frequently, so the figures on this site are a living measurement rather than a one-off snapshot. Every report shows its as-of date, and the flagship studies are published as recurring editions so trends can be tracked over time.
What the data can — and can’t — tell you
We believe the limits matter as much as the findings:
- Geography and industry are derived from the domain’s ending, not company registration. A country’s figures are based on its national domain ending (ccTLD); an industry’s figures are based on industry-specific endings. A firm using a generic ending like
.comcan’t be attributed to a country or sector at this scale. These segments are “accurate enough” to compare populations, with this caveat stated. - We measure domains, not organisations. One company may own many domains; we grade each domain on its own configuration.
- External view only. We assess what is observable from the public internet. We do not see, or attempt to see, anything behind a login.
Our rules: aggregate-only, owner-private, EU-resident
Three commitments govern everything we publish:
- Aggregate only. We publish population patterns — per-TLD, per-country, per-industry league tables. We never publish an indexed page naming an individual business and its grade.
- Owner-private. An individual domain’s grade and per-check breakdown are shown only to the verified owner who checks it.
- EU data residency. All data is stored and processed within the EU — a compliance posture and a deliberate trust commitment.
Frequently asked questions
How does Defaults.Exposed calculate a domain’s security score? By running 34 externally observable checks (email authentication, TLS, web headers, DNS and infrastructure), scoring each as pass / fail / N/A, and weighting them toward real-world impact to produce a grade from A+ to F.
Do you scan or hack the domains you grade? No. Every check is observable from the public internet — the same information a recipient mail server or a visitor’s browser would see. There is no login, intrusion, or access to private systems.
Why might a domain get an F? Most commonly because it has no enforced SPF and DMARC and can therefore be impersonated in email — a genuine, externally verifiable weakness.
Can I see the grade of a specific company’s domain? Only if it is your own domain and you verify ownership. We never publish individual businesses’ grades.
How often is the data updated? Continuously. The full population is refreshed on a regular cadence and every figure is dated with an “as-of” so you know how current it is.
Check a domain yourself
The fastest way to understand the method is to run it. Check your own domain privately and free, and see all 34 checks scored with plain-English explanations and fixes.
Check your domain → · The internet’s grade curve → · Aggregate data only. Data stored and processed in the EU.