Defaults.Exposed › Methodology
Methodology — how we grade
Every domain is graded across 34 checks (25 that count toward the grade + 9 informational) in five categories: email security, TLS & certificates, web security, DNS security, and infrastructure. Here is exactly how it works — no black box.
How grading works
Each check returns pass, fail, or N/A. A domain's score is the share of points it earns across the checks that apply to it, mapped to a letter grade:
| Grade | Score |
|---|---|
| A+ | 95% + |
| A | 90% + |
| B | 80% + |
| C | 70% + |
| D | 60% + |
| F | below 60% |
Grades are also relative — a percentile shows where a domain stands against the population of its TLD, not just against a fixed checklist.
The no-data rule (N/A never counts as a fail)
If a check genuinely can't be evaluated (a timeout, a redacted record), it's marked N/A and excluded from the score — it never counts against you. That's different from a real failure (no DMARC, no HTTPS), which is a genuine fail. A domain with no SPF/DMARC rightly scores poorly: it can be spoofed.
Principles
- Independent & external. We measure what anyone on the internet can observe — no access to your systems required.
- Aggregate-only in public. We publish patterns (by TLD, country, industry). An individual domain's grade is shown only to its verified owner — never publicly.
- Transparent. The full check list is below; the fixes are free.
- EU-processed. Data is processed in the EU.
The 34 checks
Each check, what it means for your business, and whether it counts toward your grade. Follow a link for the full "what it costs you + how to fix it" guide.
Email security
Whether your domain can be impersonated in email, and whether your own mail reaches the inbox.
| Check | What it means for your business | In your grade? |
|---|---|---|
| SPF record | Stops criminals sending email that looks like it's from you, and helps your mail reach the inbox. | Scored |
| SPF policy strength | A weak SPF only warns; a strict one actually blocks forgeries. | Scored |
| DMARC policy | The instruction that tells mail providers to reject impersonated email — the core anti-spoofing control. | Scored |
| DMARC reporting | Reports who's sending mail as you, so you spot abuse and misconfiguration. | Scored |
| DKIM | A cryptographic signature proving mail is genuinely from you; boosts deliverability. | Scored |
| MX records | Whether your domain is correctly set up to receive email at all. | Scored |
| Reverse DNS (PTR) | Helps your mail server look legitimate so messages aren't junked. | Scored |
TLS & certificates
The padlock — whether traffic to your site is encrypted with a valid, modern certificate.
| Check | What it means for your business | In your grade? |
|---|---|---|
| HTTPS available | Without it, browsers warn visitors "Not secure" and they leave. | Scored |
| Certificate valid | A trusted, correctly-issued certificate; an invalid one throws scary browser warnings. | Scored |
| Certificate expiry | A certificate about to expire takes your site offline with a full-page warning. | Scored |
| Signature algorithm | Uses a modern, unbroken signing algorithm (not legacy SHA-1). | Scored |
| Key strength | Adequate key length so the encryption can't be brute-forced. | Scored |
| TLS version | Modern TLS (1.2/1.3); old versions are broken and fail security reviews. | Scored |
| Cipher strength | Strong encryption protecting data in transit. | Scored |
| TLS compression | Compression disabled to avoid a known attack class. | Informational |
| OCSP stapling | Faster, more private certificate-revocation checks. | Informational |
| Secure renegotiation | Protects against a TLS renegotiation attack. | Informational |
Web security
The HTTP headers that protect your visitors' browsers from common attacks.
| Check | What it means for your business | In your grade? |
|---|---|---|
| HSTS | Forces the secure padlock every visit so customers can't be downgraded to an insecure connection. | Scored |
| HTTP→HTTPS redirect | Sends visitors who arrive on http straight to the secure version. | Scored |
| Content-Security-Policy | Reduces the chance a hacked or injected script steals customer data off your site. | Scored |
| Clickjacking protection | Stops attackers embedding your site to trick your customers into clicking things. | Scored |
| MIME-sniffing protection | Stops browsers mis-reading files in ways attackers can abuse. | Scored |
| Referrer-Policy | Controls what address info leaks to other sites when visitors click away. | Scored |
| Cross-origin headers (COOP/CORP/COEP) | Advanced isolation that hardens against cross-site data leaks. | Informational |
DNS security
Whether your domain's foundations can be hijacked or knocked offline.
| Check | What it means for your business | In your grade? |
|---|---|---|
| CAA records | Stops anyone but your chosen provider issuing SSL certificates for your domain. | Scored |
| DNSSEC (DS) | Stops attackers hijacking your domain to send visitors to a fake copy of your site. | Scored |
| DNSSEC (DNSKEY) | The signing key that makes DNSSEC protection actually work. | Scored |
| Nameserver diversity | Multiple independent nameservers so one outage doesn't take you offline. | Scored |
| SOA configuration | A correctly configured DNS "start of authority" record. | Scored |
| IPv6 support | Reachable over the modern internet protocol. | Informational |
Infrastructure
Context about where and how your site is hosted (informational — these never change your grade).
| Check | What it means for your business | In your grade? |
|---|---|---|
| CDN / WAF detection | Whether a content-delivery network / web-application firewall is protecting your site. | Informational |
| Hosting provider | Identifies where your site is hosted. | Informational |
Want to see where your own domain stands across all 34? Run the free check → (private; we only ever show a domain's grade to its verified owner).