Defaults.Exposed

Defaults.ExposedTaisymaiGuides

A Client's Security Questionnaire Is Asking About Email Authentication — Answer It (and Fix the Gaps) in One Afternoon (2026)

Paskelbta 2026-07-08

Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains — we never publish an individual domain’s results. See how we grade.

Your client is asking because European supply-chain security rules now require them to check their suppliers. The questions have a two-minute starting point: a free scan grades exactly what they’re probing. Only 7.4% of domains have email authentication fully aligned and enforced, according to the Defaults.Exposed census of 261,086,232 domains (as of 2026-06-29) — most suppliers can’t answer “yes” yet either.

Here’s the plan for the afternoon: run the free scan, read the one-page graded report, answer honestly what’s already true, and fix the free quick wins the same day. For anything deeper, a dated report plus a short remediation note is an acceptable interim answer — and a better one than an unsupported “yes”.

Why is our biggest client suddenly asking about our email security?

It isn’t personal. If your client is in scope of NIS2 — the EU’s network and information security directive — Article 21(2)(d) obliges them to manage the security of their supply chain, and Commission Implementing Regulation (EU) 2024/2690 spells out the measures, naming email security specifically. So procurement sends every supplier a questionnaire; you may not be covered by NIS2 yourself, but this is how the obligation cascades down to you. The deadline and the consequence — staying on the approved-supplier list — exist because your client must show a regulator they did the checking. (We’ve written up what NIS2 actually says about email authentication.) Insurers now ask the same questions — if your renewal form has started too, that’s the insurance version of this afternoon.

What do the questions actually mean?

The email-security section of a typical supplier questionnaire is four questions wearing acronyms. Translated once, then we drop them.

What the questionnaire asksWhat it means in plain EnglishHow the scan report answers it
”Do you enforce a DMARC policy?” (DMARC — Domain-based Message Authentication, Reporting and Conformance)Have you told the world’s mail servers to refuse email that fakes your domain? The row most suppliers fail: only 7.4% of 261,086,232 graded domains have this aligned and enforced (census as of 2026-06-29).States and grades your policy. “Enforced” means reject or quarantine; “monitoring only” blocks nothing yet — say which, honestly.
”Is SPF configured with a restrictive policy?” (SPF — Sender Policy Framework)Have you published the list of servers allowed to send email as your company — and does it end firmly (“no one else”) or with a shrug (“and maybe others”)?Shows whether the list exists, is valid, and ends firmly or softly.
”Are outbound emails digitally signed (DKIM)?” (DKIM — DomainKeys Identified Mail)Does your email carry a tamper-evident signature proving it came from your domain — in your name, not your provider’s default?Shows whether a signature exists in your domain’s name — the provider-default trap is the most common gap the scan finds.
”Do you monitor for domain spoofing?”If someone sent fake email as you, would you find out — or would the first sign be an angry phone call?Shows whether the reporting address is switched on, so impersonation attempts reach you.

Every one of these is answered from your domain’s public settings — no audit, no agency, no access to your systems. That’s why the afternoon plan works. These four are also just the email rows of a longer list: what cyber-insurance and vendor questionnaires check on your domain tables every control they probe, with the internet-wide pass rate for each. This page stays with your afternoon — what to answer, and what to fix first.

How do we answer it by the deadline? The one-afternoon plan

  1. Run the free scan at defaults.exposed — two minutes, before anyone touches anything. It reads your domain’s public settings and grades exactly the four areas above. No signup, no access to your email.
  2. Read the graded report. One page, plain language, dated — each grade maps onto a questionnaire question, so you know your real answers instead of guessing.
  3. Answer what’s already true. Where the report shows a pass, say yes and say why (“verified by independent scan,” with the date).
  4. Fix the free quick wins the same day. The common gaps are settings, not purchases: a sender list that ends softly (the SPF fix), a spoofing rule missing or stuck in monitoring mode (the DMARC fix), a signature in the provider’s default name. All free, mostly one DNS record each — forward the fix page to whoever manages your domain, and several “no” answers become “yes” before the form goes back.
  5. For anything deeper, send the dated report with a remediation note. Moving to a fully enforced policy properly takes weeks of monitoring first — never claim it’s done when it isn’t. “Independent scan attached; enforcement rollout in progress, target September” is an acceptable interim answer to any competent procurement team. A false “yes” is not: procurement teams re-check, often with exactly this kind of scan.

Can this questionnaire actually work in our favour?

Yes — because of what everyone else sends back. Most suppliers answer with a bare “yes” and nothing behind it, while only 7.4% of 261,086,232 graded domains actually have the aligned-and-enforced posture being probed (census as of 2026-06-29). A dated, independently graded report — even one showing a gap and a remediation date — beats an unsupported “yes”, because one is verifiable and the other is hope. You’re not being asked to be perfect; you’re being asked to be checkable. Few of your competitors on that list will be.

And if what’s really nagging you is that invoice-fraud story from the networking event — same settings, same two-minute check.

Frequently asked questions

What if I can’t fix everything before the deadline? Send what’s true: the dated report, what you fixed this week, and a dated plan for the rest. NIS2 supply-chain reviewers assess whether suppliers manage risk, not whether they’re flawless — a graded report with a remediation note is risk management, in writing. What fails reviews is silence, or a claim that doesn’t survive a re-check.

Can my IT contractor handle this? The free settings, yes — the sender list, your own signature, the spoofing rule are routine DNS work, and the fix pages above are written for that hand-off. What contractors reasonably call beyond their remit is the judgement layer: which policy to enforce, when it’s safe to tighten, what to tell the client meanwhile. The graded report turns those calls into a document, so neither of you is improvising.

Will they really drop us as a supplier? For a blank response or a caught false claim — eventually, yes; the client has a regulator to answer to. For an honest gap with a remediation date — very unlikely: across all 261,086,232 graded domains, only 10.59% enforce the spoofing policy these questionnaires ask about (census as of 2026-06-29). Honest-with-a-plan keeps you on the list.

We’re not covered by NIS2 — can we ignore the questionnaire? The obligation is your client’s, and they discharge it by choosing checkable suppliers. The room to stand out is enormous: only 7.4% of all 261,086,232 graded domains have email authentication aligned and enforced (census as of 2026-06-29). One afternoon puts you ahead of nearly every other name on that supplier list.

Forward the report to your IT contact

Don’t retype any of this. Run the free scan, then forward two things to whoever looks after your domain: the graded report and this article. The report says exactly which settings to change; the fix pages give the steps. When the corrected report comes back, the questionnaire answers write themselves — grade by grade. Then file it: the next client will ask the same four things, your insurance renewal already does, and a dated report you can attach in five minutes is the difference between an afternoon and a fire drill.

Check your domain → · What questionnaires check on your domain → · That invoice-fraud story you heard → · Aggregate data only. Data stored and processed in the EU.