Defaults.Exposed

Defaults.Exposed › Reports

New gTLDs vs Legacy Domains: Is .com Really Safer Than .xyz or .ai? (2026)

Published 2026-06-28

Figures as of 2026-06-28 · methodology v7. Aggregate census data; we never publish an individual domain’s grade. Figures are the share of each ending’s domains scoring grade F (effectively unprotected — lower is better). See how we grade.

The question “are new domain endings less safe than .com?” has a counterintuitive answer: no — and in several cases the opposite is true. Across the census, some of the newest endings are among the most secure, while a handful of cheap, bulk-registered endings are the least secure on the internet. What predicts a domain ending’s security is not how old it is. It is how much it costs and who buys it.

The short answer

In short: a new gTLD isn’t a red flag, and .com isn’t a safety guarantee.

The data: F-grade share by domain ending

Lower is better. Each figure is the share of that ending’s domains scoring grade F, as of 2026-06-28.

Domain endingTypeDomains gradedGrade-F shareB-or-better share
.aiNew (tech)1M74.5%1.58%
.ioNew (tech)1M79.5%1.25%
.devNew (tech)1M81.6%1.06%
.appNew (tech)1M85.6%0.58%
.comLegacy129M86.9%0.46%
.orgLegacy10M87.4%0.40%
.infoLegacy4M86.1%0.34%
.netLegacy10M90.2%0.36%
.shopNew (retail)3M89.7%0.16%
.onlineNew (generic)2M93.3%0.13%
.xyzNew (cheap/bulk)6M98.3%0.06%
.topNew (cheap/bulk)3M99.0%0.03%

(Rankings shift as the census refreshes. The always-current table lives at the most & least secure TLDs →.)

Why the age of a domain ending doesn’t predict its security

A domain’s grade is set by its configuration — does it enforce SPF and DMARC, serve valid TLS, enable DNSSEC, send the right headers? None of those depend on whether the ending launched in 1985 or 2015. What actually correlates with the numbers above is the kind of registrant each ending attracts:

The takeaway for choosing a domain: your ending is not a security strategy. Picking .com does not protect you, and picking .ai or .io does not protect you either — those endings just happen to attract owners who configure things well. Protection comes from what you switch on, not the letters after the dot.

So is .xyz (or .top) unsafe?

The ending isn’t unsafe — but a domain on a cheap bulk ending is statistically far more likely to be unconfigured and spoofable, because so few of its neighbours bother. If you own one and you’ve done the configuration, you can be more secure than the average .com. The only way to know is to check the specific domain.

Frequently asked questions

Are new gTLDs less secure than .com? Not inherently. As of 2026-06-28, .ai (74.5% F) and .io (79.5% F) are more secure on average than .com (86.9% F). Other new endings like .xyz (98.3% F) and .top (99.0% F) are less secure. Age isn’t the deciding factor.

Is .com safe? .com is average, not exceptional: about 86.9% of .com domains score an F. A .com is only as safe as its own configuration.

Which domain extension is the most secure? Among large endings, premium tech-oriented ones (.ai, .io) currently lead — but even the best still leave most of their domains exposed. See the live ranking.

Does a cheaper domain mean a less secure website? On average, cheaper bulk endings have far higher failure rates — but that reflects who registers them, not a technical limitation. A well-configured domain on any ending can earn a top grade.

Check the only ending that matters: yours

Whatever your domain ending, the grade that counts is your own. Check it privately and free, with a per-check breakdown and exactly how to fix what fails.

Check your domain → · Most & least secure TLDs → · How we grade → · Aggregate data only. Data stored and processed in the EU.