Defaults.Exposed

Defaults.Exposed › Reports

The Internet Security Grade Curve: What an Average Domain Looks Like in 2026

Published 2026-06-28

Figures as of 2026-06-28 · methodology v7. This is a recurring report: every edition re-measures the same population, so the curve can be tracked over time. All figures are aggregate — we never publish any individual business’s grade. See how we grade for the full method.

The average domain on the internet is not secure. Across the 260 million domains we graded, the single most common grade by a wide margin is F, and the typical domain sits at a D or below. Fewer than 1 in 27 domains reach a C or better. That is the grade curve of the internet — and it bends almost entirely toward “exposed.”

What is the average domain’s security grade?

If you lined up every graded domain on Earth and walked to the middle, you would land on a domain graded F — the lowest grade. F is not a rounding artifact or a penalty for inactivity: a domain scores F when it genuinely fails the basic protections that stop its email being forged and its visitors being misled. Most of the internet simply has those protections switched off.

Here is the full distribution.

The internet’s grade distribution (260M domains)

GradeDomainsShareWhat it means
A+6,7400.0%Effectively bulletproof — passes nearly every check
A49,7620.0%Strong: email locked down, modern TLS, key DNS protections on
B1,145,9420.4%Good, with minor gaps
C8,582,1173.3%Mixed — some real protection, some real holes
D26,088,09310.0%Weak — most protections missing
F224,536,05086.2%Effectively unprotected — can be spoofed

Read down that table and the shape is unmistakable: the curve is not a bell centered on “B.” It is a cliff. 86.2% of the internet scores an F, another 10.0% scores a D, and everything above a C is a rounding error by comparison.

The internet's domain security grade curve — the grade-F bar dominates every other grade, with the median domain landing at F

How rare is a good grade?

Very. Across the whole census:

In other words, a domain that is genuinely well-configured is not the norm you are failing to meet. It is a rare exception. The good news hidden in that statistic: clearing the bar puts you ahead of the overwhelming majority of the internet, and most of the steps are free.

Why is the curve so skewed toward F?

Three reasons, and none of them are “the internet is full of hackers”:

  1. The defaults are off. When you register a domain, email authentication (SPF, DKIM, DMARC), DNSSEC, CAA and security headers are not enabled for you. Someone has to turn them on — and almost nobody does.
  2. Nobody tells the owner. A small business owner who buys a domain is never warned that, by default, criminals can send email that appears to come from their exact address. There is no error message for “your domain can be impersonated.”
  3. The protections are invisible until they fail. A missing SPF record causes no visible problem — right up until a fraudster uses your domain to invoice your customers, or your genuine email starts landing in spam.

The result is a grade curve that reflects neglect, not malice.

What an F actually means for a business

A failing grade is not an abstract score. In plain terms, an F usually means one or more of these is true of the domain:

How does the grade curve change over time?

Because the scanning fleet re-measures the population continuously, this distribution is live, not a one-off snapshot. We publish it as a recurring report so the curve can be tracked edition over edition — if the internet gets more secure, this page will show it. Compare the moving league tables here:

Frequently asked questions

What is the average domain security grade in 2026? The most common grade across the 260 million domains we measured is F, and the typical (median) domain scores a D or below. Only 0.46% of domains earn a B or better.

What percentage of websites fail basic security? As of 2026-06-28, 86.2% of graded domains score an F — effectively unprotected and able to be spoofed — and a further 10.0% score a D.

How many domains have an A grade? Only 6,740 domains earn an A+ and 49,762 earn an A — together about 0.02% of all graded domains, or roughly 1 in 4,600.

Is a low grade just because a domain is parked or inactive? No. A domain scores poorly because it genuinely fails real, externally observable checks — for example, it can be spoofed because it has no enforced SPF and DMARC. Checks that genuinely cannot be determined are marked N/A and excluded; they never count as a failure.

See where your own domain sits on the curve

These are population averages. Your domain might be one of the 0.46% that earn a B or better — or one of the 86.2% that don’t. You can check it privately and free, and see exactly which of the 34 checks you pass and how to fix the ones you don’t.

Check your domain → · How we grade → · Aggregate data only; an individual domain’s grade is shown only to its verified owner. Data stored and processed in the EU.