Defaults.Exposed

Defaults.ExposedResearch › Domain Exposure by TLD

Domain Exposure by TLD

Data as of 2026-06-29 · 108 TLDs · "spoofable" = lacks an enforcing DMARC policy (`quarantine`/`reject`). Aggregate only.

Across the whole census, 89.4% of domains can be impersonated in email, 42.7% accept mail with no authentication at all, and 8.8% have none of the five core protections. Here's how top-level domains compare — lower is better.

Least exposed TLDs

#TLDDomainsSpoofableMail, no authFully exposed
1.ch1,386,29867.1%17.3%0.7%
2.nl2,936,67370.6%17.8%1%
3.pl1,539,25976.6%16.4%0.7%
4.ai724,28476.7%33.4%2.5%
5.email101,34277.6%28.5%8.7%
6.no431,78678.1%29.3%2.8%
7.de8,732,11678.6%24.8%2.5%
8.dk609,19880.1%47.3%1.1%
9.in2,153,22580.7%38.2%3.5%
10.co1,972,06881.5%34%5.2%
11.gr356,64181.7%16.9%0.5%
12.studio170,84581.7%35.8%7%
13.eu1,544,51081.8%29.7%1.8%
14.sg101,01282.8%28.6%1.5%
15.sk277,66283.3%17.3%1%

Most exposed TLDs

#TLDDomainsSpoofableMail, no authFully exposed
1.ph4,313,04799.8%99%0.1%
2.cyou239,97999.1%68.5%16.2%
3.xn--p1ai369,50998.8%60.1%2.2%
4.cfd301,10398.8%69.6%3.2%
5.cn2,140,75098.5%92.4%5.8%
6.bond113,39098.5%85.1%13.8%
7.icu250,24898.3%84.6%20.7%
8.kr377,60698.1%58.3%3.8%
9.sbs537,27997.2%73.8%6.3%
10.lol253,79697.2%74.1%8.9%
11.ru2,938,35696.8%46.8%2.6%
12.top3,213,01096.8%87.7%18.8%
13.cc1,153,77696.2%78.8%5.9%
14.vn320,45796%59.5%9%
15.ua300,50095.4%42.8%2.3%

"Spoofable" = share of domains with no enforcing DMARC policy, so the visible "From" address can be forged. "Mail, no auth" = has MX records but no working SPF/DMARC. "Fully exposed" = zero of five core protections (SPF, enforced DMARC, DNSSEC, HTTPS, HSTS).

Averages don't tell you about your domain. Check yours free → — owner-only, with exactly what to fix.

By country · By industry · By TLD · The exposure score → · Can someone spoof your domain? →