Defaults.Exposed › Reports
Which Country's Businesses Are Most Spoofable? (2026)
Published 2026-06-28
Figures as of 2026-06-28 · methodology v7. Aggregate census data, based on each country’s national domain ending (ccTLD), not company registration. We never publish an individual business’s grade. See how we grade.
The most spoofable country on the internet is Philippines — where 99.7% of business domains are effectively wide open to email forgery. We ranked 69 countries by how easily their businesses can be impersonated by email, and the pattern is bleak everywhere: even the least spoofable country, Switzerland, still leaves 57.1% of its domains exposed. Spoofing isn’t a problem of one region. It’s the global default.
What “spoofable” means here
A domain is spoofable when a criminal can send email that appears to come from it — to that business’s customers, staff and suppliers — and have it land in the inbox rather than the spam folder. The protections that stop this (enforced SPF and DMARC) are free, but most domains never switch them on.
As a population-scale proxy for spoofability we use a domain’s grade F: an F means a domain fails the basic, externally observable protections — most importantly, it can be impersonated in email. So “share of a country’s domains at grade F” is a fair, conservative read of “how forgeable that country’s businesses are.” (A precise SPF/DMARC-only cut is coming in a future edition; the ranking below already tracks it closely.)
The most spoofable countries, ranked
The ranking shifts as the census refreshes, so we keep the full, live league table — all 69 countries, least to most exposed — here rather than freezing it:
➡️ Domain Security by Country — the live ranking →
To keep the comparison fair, the ranking only includes countries with at least 50,000 graded domains on their national ending — enough of a sample to be representative. Very small national registries are excluded, not because we measured them lightly, but because a few thousand domains can’t stand in for a whole country’s businesses.
Why are some countries so much more spoofable than others?
The spread — from 57.1% to nearly 100% — comes down to registration culture and registry norms, not technical capability:
- Bulk, low-friction registration. Where a national ending is cheap and registered in huge volumes for low-touch sites, very few domains get any email protection — so the country’s spoofable share is enormous.
- Weak registry nudges. Countries climb the safe end of the table largely because their registries actively promote DNSSEC and email authentication to registrars. Where that nudge is absent, defaults stay off.
- It is not a wealth or tech-sophistication story. Large, advanced economies appear high on the spoofable list too, because the metric reflects the configuration habits of a whole population — not the security budgets of a few flagship firms.
Even the “best” country isn’t safe
This is the uncomfortable headline. The least spoofable country, Switzerland (.ch), still leaves 57.1% of its domains forgeable. National ccTLDs as a whole sit at 80.2% grade-F, and the internet overall at 86.2%. There is no country where most businesses are protected — only countries that are less exposed than the rest. (Europe leads the safe end; see Europe vs the world →.)
What a business should take from this
Your country’s rank is an average, and averages don’t protect anyone. Whether your nation sits near the top or the bottom of this table, your domain has its own grade — and email spoofing is one of the cheapest, most common attacks there is. The fix is free and usually takes an afternoon: publish SPF, sign with DKIM, and set DMARC to enforcement (p=quarantine or p=reject). (How to fix DMARC →.)
Frequently asked questions
Which country is most vulnerable to email spoofing? As of 2026-06-28, Philippines ranks highest: 99.7% of its business domains (on the .ph ending) score grade F — effectively unprotected against spoofing. See the live ranking.
Which country has the most secure business email? Among countries with robust coverage, Switzerland is least spoofable — but even there 57.1% of domains remain forgeable.
How is spoofability measured? By the share of a country’s national-ending domains scoring grade F, which means they fail the basic anti-spoofing protections (notably enforced SPF and DMARC). It’s an aggregate, externally observable measure — never an individual business’s grade.
How do I stop my domain being spoofed? Publish SPF, enable DKIM, and set DMARC to enforcement. All three are free DNS changes. Start with how to fix DMARC.
Is your domain spoofable? Check in seconds
Your country’s average says nothing about you. Check your own domain privately and free — see whether it can be spoofed today and exactly how to fix it.
Check your domain → · Domain security by country → · How we grade → · Aggregate data only. Data stored and processed in the EU.