Defaults.Exposed › Opravy › Guides
Your Insurance Renewal Is Asking About SPF, DKIM and DMARC — Here's What to Answer (2026)
Publikované 2026-07-08
Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains — we never publish an individual domain’s results. See how we grade.
The form is asking whether anyone has checked that your domain’s email can’t be faked. You can get a truthful, dated answer in two minutes with a free scan — and you’ll be far from alone: only 7.4% of the 261,086,232 domains graded in the Defaults.Exposed census (as of 2026-06-29) have the fully aligned, enforced setup insurers are really probing for.
Below: what the question means, how to get your answer in two minutes, what an honest “yes” requires for each version of the question, how to use the report with your broker — and how any gaps get fixed before the deadline.
Why is my insurance renewal asking about SPF, DKIM and DMARC?
You know the moment. Somewhere in the renewal pack is a line like “Has your domain been scanned for DMARC, SPF and DKIM hygiene in the past 12 months?” You don’t know. Nobody in the firm knows. So the email sits flagged in your inbox, quietly avoided, while the deadline gets closer.
What the insurer actually wants to know: can a criminal send email that looks exactly like it came from your firm? The most expensive small-business cyber claims are invoice fraud — a fraudster emails your client, as you, with “updated” bank details, and a five-figure euro payment goes astray. That impersonation risk is measurable from the outside, so underwriters price it.
The acronyms, once and in plain terms: SPF (Sender Policy Framework — a public list of the servers allowed to send email for your domain), DKIM (DomainKeys Identified Mail — a tamper-evident signature on each message), and DMARC (Domain-based Message Authentication, Reporting and Conformance — the published rule telling the world’s inboxes what to do with mail that fails the other two).
And why the question is on the form at all: of the 261,086,232 domains graded in the Defaults.Exposed census (as of 2026-06-29), 89.41% have no enforced DMARC policy — meaning they could be impersonated. Insurers ask because most applicants, statistically, are open. If this rings a bell from a networking event rather than a form, start with that invoice-fraud story you heard — could it happen to your firm?
Email is only one section of the questionnaire, of course. For the full list of controls insurers and enterprise buyers check on a domain — with the internet-wide pass rate for each — see what cyber-insurance and vendor questionnaires check on your domain. This page stays with the form in your inbox: what to answer, truthfully, before the deadline.
How do I find out my answer in two minutes?
You don’t need to understand a single DNS record. You need a dated, graded report.
- Run the free scan at defaults.exposed. Type your domain — the bit after the @ in your email address. It reads your domain’s public settings from the outside, the way an insurer’s scanning partner would.
- Read the grade. The report says, in plain language, whether SPF, DKIM and DMARC exist for your domain, whether they line up, and whether the policy enforces anything.
- Save the report. It’s dated. As of today, your domain has been scanned — whatever the grade, that part of the question is truthfully answerable.
The scan is free, takes about two minutes, and the data is stored and processed in the EU — relevant if your compliance answers must say where assessments happen.
What does an honest “yes” look like for each version of the question?
The honest answer differs by phrasing:
| The form asks… | A truthful “yes” requires | Where the scan gets you |
|---|---|---|
| ”Has your domain been scanned for DMARC, SPF and DKIM hygiene in the past 12 months?” | A dated scan — running one today qualifies; the report is your evidence | Yes, immediately |
| ”Do you have SPF, DKIM and DMARC in place?” | All three published for your domain | Yes if the grade shows all three |
| ”Do you enforce DMARC?” | A policy that instructs inboxes to act — the stronger yes | Only if the report says enforced; 7.4% of graded domains are there |
| ”What measures do you have against email impersonation?” | Enforced DMARC, or an honest posture description plus a remediation plan | Either is legitimate if accurate |
Two things to hold onto. First, a bad grade with a remediation plan is a legitimate, insurable answer. “We scanned, the report identified gaps, and they are being fixed” reads as a firm that checks — exactly what the question screens for. Second, never dress the answer up. A misstatement on a proposal form can void the policy, meaning the claim gets denied when you most need it.
What should I send back with the renewal?
Attach the scan report, or paste its date and grade into the answer box. Then ask your broker one question: “Does an assessed, enforced email-authentication posture affect the premium or the terms?” Some insurers take demonstrated posture into account at pricing; whether yours does is broker territory, and asking costs nothing.
Keep the report — the same evidence answers a client’s security questionnaire about email authentication, the same question arriving from a customer instead of an insurer.
Is this an EU regulation thing as well?
Partly, yes — it’s why the question keeps appearing on European renewal forms. NIS2, the EU’s security directive, expects covered organisations to manage supply-chain security (Article 21(2)(d)) and secured communications (Article 21(2)(j)), and Implementing Regulation (EU) 2024/2690 names email security among the concrete measures. European insurers increasingly mirror those expectations in their questionnaires. Does NIS2 require DMARC? covers whether it applies to your firm directly — but the direction of travel is one-way.
Can the gaps be fixed before my renewal deadline?
Almost certainly. These are settings, not purchases — a competent IT contact can usually publish or correct all three records in an afternoon, following your domain’s report and the fix DMARC steps. The one part that takes longer is moving DMARC to full enforcement without disrupting legitimate email — a staged project over some weeks, covered in from p=none to p=reject without losing legitimate email. For this year’s renewal, a dated scan plus fixes underway is available this week.
Frequently asked questions
What if my grade is bad — should I still answer? Yes, honestly. You’d be in the majority: 89.41% of the 261,086,232 domains graded in the census (as of 2026-06-29) have no enforced DMARC policy. “Scanned, gaps found, remediation underway” is an insurable answer; a polished untruth is what voids policies.
Does a scan from today count for “the past 12 months”? Yes. The question asks whether a scan happened in the 12 months before you answer — one run today sits inside that window. Answer as of the report’s date, and re-scan before next year’s renewal.
Will this lower my premium? Sometimes, and no promises. Some insurers reflect demonstrated posture in pricing or terms; others treat these questions as eligibility, not discount. Ask your broker, report attached — that’s what turns a maybe into a number, in euro.
Forward the report — the answer writes itself
You don’t need to become the DNS person. Run the free scan, then forward the report and this article to your IT contact. The report tells them exactly what’s missing; this page tells them why it’s on your renewal form. When the fixed re-scan comes back, the renewal answer writes itself: scanned, dated, graded, remediated. One flagged email in your inbox, closed.
Check your domain → · What questionnaires check on your domain → · How to fix DMARC → · Aggregate data only. Data stored and processed in the EU.