Defaults.Exposed › Reports
The Fully-Protected Few: the 3.87% Who Finished
Published 2026-07-03 · updated 2026-07-03
Figures as of 2026-06-29 · methodology v7. Census data joining checks per domain across 261 million graded domains. “Fully protected” in this article means the complete email-authentication stack, enforced: SPF present, DKIM present, and a DMARC policy of
quarantineorreject. The exposure pyramid counts five core protections per domain — SPF, enforcing DMARC, DNSSEC, HTTPS, HSTS. Overlap figures here come from the per-domain join, whose dedup grain differs marginally from the policy-split counts quoted on the DAMMM pages (27,640,987 vs 27,639,358 enforcing domains) — each page cites its own source, and the two are never mixed. All figures are aggregate — we never publish an individual business’s grade.
What fully-protected domains do differently: they finish
Only 3.87% of the internet’s 261 million graded domains — 10,092,481 of them — run the complete, enforced email-protection stack: SPF and DKIM in place, DMARC at quarantine or reject. The interesting thing about this group is what it isn’t. It isn’t a club of security teams with bigger budgets — every control involved is a free DNS or web-server setting. The 3.87% aren’t smarter than everyone else; they’re systematic. They treated the protections as one stack to finish rather than five separate projects to start, and the rest of this article is about what that looks like in the census data.
To see how unusual finishing is, start with where everyone else stands.
The exposure pyramid: five protections, six floors
Score every domain on five best-practice protections — SPF, enforcing DMARC, DNSSEC, HTTPS, HSTS — one point each, and the internet arranges itself into a pyramid (the exposure curve, viewed floor by floor). As of 2026-06-29:
| Floor | Protections in place | Share of domains | Domains |
|---|---|---|---|
| 0 | None — fully exposed | 8.8% | 23,105,485 |
| 1 | One (usually HTTPS alone) | 37.2% | 97,206,153 |
| 2 | Two (typically HTTPS + SPF) | 39.7% | 103,527,371 |
| 3 | Three | 12.0% | 31,424,343 |
| 4 | Four | 2.1% | 5,575,826 |
| 5 | All five — fully locked | 0.09% | 247,054 |
The shape tells the story before any single number does. 76.9% of all domains — 201 million — sit on floors 1 and 2, holding exactly the protections that arrived by default and nothing more. HTTPS is there because hosts and CDNs switched it on automatically; SPF is there because every mail provider’s onboarding guide starts with it. Everything above floor 2 requires an owner to decide — and at each decision, most of the internet stops. Floors 4 and 5 together hold just 2.2% of domains.
The pyramid isn’t a ranking of who cares. It’s a map of where defaults end and deliberateness begins.
The funnel the 3.87% climbed
Trace the email half of the stack step by step and the same pattern repeats — every stage sheds more than half of the domains that reached the one before:
- 53.21% of domains publish SPF — the step the guides all cover.
- 24.89% publish any DMARC record at all.
- 10.59% enforce it (
quarantineorreject). - 3.87% enforce it with the full stack underneath — SPF and DKIM both present, so enforcement stands on complete authentication.
That last cut is worth pausing on. Of the roughly 28 million domains that enforce DMARC, only 36.5% carry both SPF and DKIM beneath the policy. Some of the remainder are doing exactly the right thing — a domain that sends no mail should be at p=reject with a bare -all SPF and needs no DKIM. But the gap also contains enforcing domains whose authentication is incomplete, which is the stack built from the roof down. The 3.87% are defined by the opposite habit: floor before roof, every layer, then the policy on top.
SPF alone covers 139 million domains and protects almost none of them — the census’s bluntest illustration of what starting without finishing buys.
One stack, not five projects
Here is the habit that separates the 3.87%, and it’s organisational, not technical.
Most domains accumulate protections the way the pyramid suggests: one at a time, each triggered by a different prompt — a browser warning, a deliverability problem, a compliance checklist — each treated as its own little project with its own “done”. Done, in that mode, means the record exists. That’s how the internet ends up with 201 million domains on floors 1–2: five green ticks available, one or two collected, journey over.
The fully protected treat the five as one system with one definition of done: the attack no longer works. Forged mail is refused, not just observed; sessions can’t be downgraded, because HSTS is pinned; answers can’t be quietly swapped, where DNSSEC is signed. In the DMARC Adoption Maturity Model, that’s the Stage 6 mindset — protection as a discipline that’s monitored and maintained, not a badge that was earned once. Nothing about it requires expertise the other 96% lack. It requires finishing — in the right order, checking each layer actually holds, and treating “configured” as the midpoint rather than the destination.
The summit above: all five together
Above the fully-email-protected sits a much smaller population: the 247,054 domains — 0.09% — that hold all five protections at once, DMARC, DNSSEC and HSTS deployed together on top of SPF and HTTPS. The gate is DNSSEC: valid on just 1.99% of domains, it is the rarest of the five, so the pyramid’s top floor is necessarily tiny. If floor 5 describes your ambitions, the order still matters — enforce email authentication first (it stops the attacks that actually arrive daily), then pin transport with HSTS, then sign the zone.
How to join the 3.87%
Every step is a configuration change, and every one is free:
- Publish SPF listing your real senders, ending
-all. (Fix SPF →) - Enable DKIM with every service that sends as you — most providers make it a toggle. (Fix DKIM →)
- Publish DMARC with reporting, observe, then enforce —
p=noneplusrua=first, identify every legitimate sender, then move toquarantineandreject. This is the wall most domains never climb, and it’s investigative work, not money. (Fix DMARC →) - Then the web tier: HSTS on your HTTPS site, and DNSSEC if your DNS provider manages signing for you.
A domain that sends no mail can skip the observation phase entirely: SPF -all and p=reject today, one DNS change, straight past the wall.
Frequently asked questions
What does a fully protected domain look like? SPF and DKIM in place and a DMARC policy of quarantine or reject on top — the complete email-authentication stack, enforced. 10,092,481 domains (3.87%) meet that bar. The strictest version adds DNSSEC, HTTPS and HSTS: all five together is the pyramid’s 0.09%.
How many domains have DMARC, DNSSEC and HSTS deployed together? The census publishes the five-protection score rather than every pairwise cross-tab, so the honest answer is a bound: at least the 247,054 domains holding all five have those three together, and at most 2.2% of domains (floors 4–5) could. Either way: well under one in forty.
Is the full stack expensive? No. SPF, DKIM, DMARC, HSTS and DNSSEC are all configuration — DNS records and server headers, no licences. The real costs are attention and sequence: the sender-identification work before DMARC enforcement is the only step that takes sustained effort, and it’s the one most domains stall in front of.
Which protection should come first? Enforced email authentication, because email impersonation is the attack ordinary businesses actually face. HTTPS you almost certainly have; HSTS is a one-line follow-up; DNSSEC last, and only via a provider that manages signing. Climbing floor by floor beats starting five projects at once — that’s rather the point.
Check how many of the five you hold
The gap between the 76.9% on floors 1–2 and the 3.87% who finished is not talent or budget — it’s a sequence, and every step of it is free. You can check privately and free, and see which of the 34 checks you pass and how to fix the ones you don’t.
Check your domain → · The 6 stages of DMARC maturity → · The DMARC pillar → · Aggregate data only. Data stored and processed in the EU.