Defaults.Exposed › Articles
The State of Domain Security 2026
Published 2026-06-27
Figures as of 2026-06-27 · methodology v7. This is a recurring report; each edition re-measures the same population so the numbers can be tracked over time. All figures are aggregate — we never publish an individual business’s grade.
.comis fully graded (129M domains) and included in the totals below.
The headline: most of the internet fails basic domain security
We measured 261,752,302 live domains across 34 security checks — email authentication (SPF, DKIM, DMARC), TLS and certificates, web-security headers, and DNS (including DNSSEC). The result is stark:
- 86.3% score an F — the lowest grade.
- Fewer than 0.02% earn an A or A+ — roughly 1 in 4,700 domains.
- Only about 1 in 27 reach a C or better.
This isn’t a story about a few neglected sites. It’s the default state of the internet: the protections that stop your email being forged and your visitors being misled are simply not switched on for the overwhelming majority of domains.
Grade distribution (262M domains)
| Grade | Domains | Share |
|---|---|---|
| A+ | 6,708 | 0.0% |
| A | 49,443 | 0.0% |
| B | 1,142,198 | 0.4% |
| C | 8,566,735 | 3.3% |
| D | 26,225,422 | 10.0% |
| F | 225,761,796 | 86.3% |
It varies a lot by country and TLD
Domain security varies widely by country and by domain ending. Established national registries — especially in Europe — tend to protect their businesses best, while cheap, high-volume generic endings popular for bulk registration do worst. But “best” is relative: even the strongest endings still leave most of their domains at an F.
These rankings shift as the census grows, so we keep them live rather than freezing them here:
What this means for your business
A failing grade isn’t an abstract score. In plain terms it usually means one or more of these is true of your domain:
- Your email can be forged. Without enforced SPF and DMARC, a criminal can send email that looks exactly like it came from you — to your customers, staff and suppliers — and it lands in the inbox. That’s how fake-invoice and CEO-fraud scams work.
- Your real email is more likely to be junked. Google and Yahoo increasingly distrust unauthenticated domains, so your genuine quotes and invoices quietly land in spam.
- You’ll fail other people’s security checks. Bigger customers run a quick scan before they sign. “Domain not protected — can be spoofed” is enough to lose the deal.
- Your site can warn visitors away. A missing or broken certificate shows shoppers a red “Not secure” page.
The encouraging part: most of these are free and quick to fix — usually a few lines in your domain’s settings. The barrier is almost never cost; it’s that nobody told the owner it mattered.
How we measured it
- 34 checks, externally observable — no access to anyone’s systems required. (Full methodology.)
- Pass / fail / N/A. Where a check genuinely can’t be determined it’s marked N/A and excluded — it never counts as a failure.
- A real failure is a real failure. A domain with no SPF/DMARC scores poorly because it can genuinely be spoofed — not because of how we counted.
- Aggregate only. These are population patterns; an individual domain’s grade is shown only to its verified owner.
- Data is stored and processed within the EU.
(A future edition will add the share of domains that publish no email-spoofing protection at all, once that per-check cut completes across the full population.)
See where your own domain stands
These are averages. Your domain might be one of the 0.02% that earn an A — or one of the 86.3% that don’t. You can check it privately and free, and see exactly which of the 34 checks you pass and how to fix the ones you don’t.