Defaults.Exposed

Defaults.ExposedResearch › Domain Exposure by Industry

Domain Exposure by Industry

Data as of 2026-06-29 · 11 industries · "spoofable" = lacks an enforcing DMARC policy (`quarantine`/`reject`). Aggregate only.

Across the whole census, 89.4% of domains can be impersonated in email, 42.7% accept mail with no authentication at all, and 8.8% have none of the five core protections. Here's how industry domain endings compare — lower is better.

#IndustryDomainsSpoofableMail, no authFully exposed
1AI / Technology724,28476.7%33.4%2.5%
2Healthcare43,07280.9%32.2%7.7%
3Creative170,84581.7%35.8%7%
4Agencies101,44883.5%32.6%7.3%
5Retail4,640,51485.6%52.1%8.6%
6Technology1,307,84186.7%40.7%4.3%
7Software1,642,61386.8%45.7%7.5%
8Finance26,74088.2%42.7%8.6%
9Design98,27888.9%40.7%7.3%
10Media82,35989.2%47.6%6.7%
11Gaming52,38690.4%48.7%7%

"Spoofable" = share of domains with no enforcing DMARC policy, so the visible "From" address can be forged. "Mail, no auth" = has MX records but no working SPF/DMARC. "Fully exposed" = zero of five core protections (SPF, enforced DMARC, DNSSEC, HTTPS, HSTS). The domain ending is a proxy for the country/sector, not company registration.

Averages don't tell you about your domain. Check yours free → — owner-only, with exactly what to fix.

By country · By industry · By TLD · The exposure score → · Can someone spoof your domain? →