Defaults.Exposed › Research › Domain Exposure by Industry
Domain Exposure by Industry
Data as of 2026-06-29 · 11 industries · "spoofable" = lacks an enforcing DMARC policy (`quarantine`/`reject`). Aggregate only.
Across the whole census, 89.4% of domains can be impersonated in email, 42.7% accept mail with no authentication at all, and 8.8% have none of the five core protections. Here's how industry domain endings compare — lower is better.
| # | Industry | Domains | Spoofable | Mail, no auth | Fully exposed |
|---|---|---|---|---|---|
| 1 | AI / Technology | 724,284 | 76.7% | 33.4% | 2.5% |
| 2 | Healthcare | 43,072 | 80.9% | 32.2% | 7.7% |
| 3 | Creative | 170,845 | 81.7% | 35.8% | 7% |
| 4 | Agencies | 101,448 | 83.5% | 32.6% | 7.3% |
| 5 | Retail | 4,640,514 | 85.6% | 52.1% | 8.6% |
| 6 | Technology | 1,307,841 | 86.7% | 40.7% | 4.3% |
| 7 | Software | 1,642,613 | 86.8% | 45.7% | 7.5% |
| 8 | Finance | 26,740 | 88.2% | 42.7% | 8.6% |
| 9 | Design | 98,278 | 88.9% | 40.7% | 7.3% |
| 10 | Media | 82,359 | 89.2% | 47.6% | 6.7% |
| 11 | Gaming | 52,386 | 90.4% | 48.7% | 7% |
"Spoofable" = share of domains with no enforcing DMARC policy, so the visible "From" address can be forged. "Mail, no auth" = has MX records but no working SPF/DMARC. "Fully exposed" = zero of five core protections (SPF, enforced DMARC, DNSSEC, HTTPS, HSTS). The domain ending is a proxy for the country/sector, not company registration.
Averages don't tell you about your domain. Check yours free → — owner-only, with exactly what to fix.
By country · By industry · By TLD · The exposure score → · Can someone spoof your domain? →