Defaults.Exposed

Defaults.Exposed › Reports

The National Domain Security Index 2026: How Countries Rank on Domain Security

Published 2026-06-28

Figures as of 2026-06-28 · methodology v7. Aggregate census data, based on each country’s national domain ending (ccTLD), not company registration. We never publish an individual business’s grade. See how we grade.

The National Domain Security Index ranks countries by how well their businesses protect their domains — and almost every country is failing. Across the 100 national domain endings we measure, 80.2% of domains score an F: effectively unprotected and able to be spoofed. Domain security is not a problem of one region or one income bracket. It is a near-universal blind spot — the ranking is really a contest over who is least exposed, not who is safe.

How the index works

For each country we take its national domain ending (its ccTLD — .de for Germany, .jp for Japan, and so on) and measure the share of those domains scoring grade F. Lower is better. We rank countries from least exposed to most exposed.

The live, always-current ranking of all 100 countries lives here, and updates as the census refreshes:

➡️ The full Domain Security by Country ranking →

This article is the explainer behind that table: what the index measures, what the pattern is, and what it means.

What the index reveals

Three findings hold consistently across editions:

  1. Europe leads — but only relatively. As a group, European national registries are the least exposed in the world (around 76.4% F, versus 84.7% for national endings elsewhere). Strong performers such as Switzerland (57.1% F), the Netherlands (69.1%) and Norway (65.5%) sit near the top of the table. See Europe vs the world →.
  2. Wealth and tech-sophistication don’t guarantee a good rank. Several large, advanced economies sit mid-table or worse — because the index measures configuration habits across a whole population, not the capability of a few flagship firms.
  3. Even the leader fails in absolute terms. The best-ranked country still leaves the majority of its business domains at grade F. There is no country where most domains are secure.

Why national rankings matter

National domain security is a genuine economic-resilience issue:

A note on fairness

Some countries have very few businesses on their national ending (most of their firms use generic endings like .com, which can’t be attributed to a country at this scale). Those thin populations are a less representative sample. The live table shows the number of domains graded for each country so you can weigh how robust each figure is, and we don’t draw strong conclusions from thin coverage.

Frequently asked questions

Which country has the most secure domains? The leaders are consistently European national registries (e.g. Switzerland, the Netherlands, Norway). See the live ranking for the current order. Even the leader, though, leaves most of its domains at grade F.

How is national domain security measured? By the share of domains on a country’s national ending (ccTLD) that score grade F — effectively unprotected — out of all such domains we grade. Lower is better.

Is this based on where companies are registered? No. It’s based on the country’s national domain ending, not corporate registration. A firm on a generic ending like .com isn’t attributed to any country. This caveat is built into the index.

Why is every country’s score so poor? Because domain protections (SPF, DMARC, DNSSEC, TLS) are off by default and most owners never enable them — a pattern that holds in every country, varying only in degree.

See where your domain ranks — not just your country

Your country’s position is an average. Your domain has its own grade. Check it privately and free, with a per-check breakdown and how to fix what fails.

Check your domain → · Domain security by country → · How we grade → · Aggregate data only. Data stored and processed in the EU.