Defaults.Exposed › Scope of Service
Scope of Service
Last updated: 2026-07-04 · Version: 1.0 (canonical; scheduled external legal/accountant review 2026-09-04)
Incorporated into the Terms of Service. Where this disclaimer and the Terms address the same point, they are intended to be read consistently; the Terms govern if there is any conflict.
The short version
- We grade the publicly visible security configuration of your domain — email authentication, DNS, certificates, and website security headers.
- We are not a penetration test, a vulnerability scan of your systems, or a malware/content scanner, and we can’t see anything behind a login.
- A good grade makes it far harder to forge mail from your exact domain and lowers your risk. It is not a promise you won’t be attacked, spoofed, or breached, and it is not insurance — a passing grade does not stop look-alike-domain, display-name, or compromised-mailbox fraud, which come through routes we don’t assess.
- Where a deliverable is marked “signed, timestamped, verifiable,” that means you can prove the
document we issued wasn’t altered and what we observed when — nothing more. It’s not a legal
opinion or an accreditation. Every sealed deliverable is signed, independently timestamped
(RFC 3161 + OpenTimestamps), and publicly checkable at its
/verifypage.
1. What we assess
Every assessment examines the externally observable configuration of a domain, readable from the public internet:
- Email authentication — SPF, DKIM, DMARC (presence, policy, alignment).
- DNS — DNSSEC, CAA, and related records.
- TLS / certificates — validity, trust, expiry.
- Website security headers — HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and the HTTP→HTTPS redirect.
We grade these against a single, published methodology — the same engine and rubric behind the free scan, the census, and every paid tier. That means the method is consistent across them; it does not guarantee identical results, because scans run at different times, from different vantage points, and configurations change between them. Every assessment is stamped with the rubric version it was run under, and every paid order pins that rubric version at purchase — so you can see exactly which rubric produced a grade, and any guarantee is judged against the version you bought, not a moving target.
2. What we do NOT do
An assessment is not, and must not be relied on as:
- a penetration test or ethical-hacking engagement;
- a vulnerability scan of your servers, applications, or network;
- a malware, phishing-content, or website-content scan;
- a review of anything behind a login, inside your network, or in your email content;
- an audit of your policies, staff, endpoints, or third-party suppliers;
- professional information-security, legal, financial, or insurance advice.
We see only what the public internet reveals. Where a report says something like “no DKIM found,” it means at the selectors we tested — a key may exist under a custom selector we did not probe. The same “observed from public records” caveat applies to every finding.
3. Point-in-time, and things change
An assessment reflects the domain’s configuration at the moment it ran. Configurations change — a later edit can raise or lower your true risk without us knowing, unless you hold an active Monitor or Fully Managed subscription (or a Grand Slam year), which is exactly what those tiers are for.
4. Security is probabilistic — a grade is not a warranty
Correctly configured email authentication (SPF, DKIM, DMARC at enforcement) makes it far harder for anyone to forge mail from your exact domain. That is a real, specific benefit — and it is the precise limit of what a grade buys you. Improving your grade does not:
- guarantee you will not be spoofed, phished, defrauded, or breached;
- warrant that your systems are “secure” in any absolute sense; or
- act as insurance against any loss.
In particular, a passing grade does not stop the most common real-world fraud routes: a look-alike domain (mail sent from a domain that merely resembles yours), display-name spoofing, or a compromised mailbox (mail sent from your genuine account by someone who has taken it over). Email authentication protects your exact domain; it does not police those other paths, and neither does any grade we issue. A high grade closes a major, common door — it does not remove every door. Where our sales pages describe wire-fraud or impersonation losses, read them alongside this section: they explain why domain forgery matters, not a promise that a grade prevents every kind of fraud.
5. About the numbers we cite
Figures on the site and in reports about industry losses, average fraud amounts, or the share of exposed domains are published-research context to explain why this matters. They are not a prediction about your specific business, a quantification of your risk, or a promise about your outcome.
Where they come from:
- “86.2% of business domains grade F” comes from the Defaults.Exposed census — our own scan of 260M+ domains, published with methodology and figures at the /data page.
- “$2.9B stolen” and ”~$137k per victim” come from the FBI IC3 2023 BEC report (business email compromise losses reported to the FBI’s Internet Crime Complaint Center).
Two rules govern how these numbers appear, so this disclaimer never has to cure an unsupported claim on its own:
- Every headline figure carries its source and date at the point it is shown — a dated citation next to the figure itself, drawn from the current census/data source, not just this scope page.
- The full “context, not prediction” wording lives in the footer / scope link, not beside the buying CTA, so it stays honest without deflating the on-page, cited, census-backed framing where a buyer is deciding.
6. What “signed, timestamped and verifiable” means
Every sealed deliverable — the Security Dossier, each monthly Monitor certificate, and each yearly
Grand Slam re-certification — is processed the same way: the evidence bundle is canonicalised and
hashed (SHA-256), signed with our Ed25519 signing key (the public key is published on the verify
page), and independently timestamped twice — by a third-party RFC 3161 timestamp authority and by
OpenTimestamps (anchored to the Bitcoin blockchain) as a second, independent anchor. Each sealed
deliverable has a public verification page at /verify/<id> that anyone can use, forever,
without an account. (The A-Grade Playbook is deliberately not sealed — it is advice, not
evidence.)
These seals let anyone confirm two things, and only these two things:
- Integrity — the specific document we issued has not been altered since we issued it.
- Observation — what the domain’s publicly observable state was at the recorded time.
They do not make the document a legal opinion, an accreditation, a compliance certification, an insurance certificate, or a statement about anything we didn’t observe. We describe such records as tamper-evident and independently verifiable — the evidence is signed and independently timestamped so anyone can verify it hasn’t been altered and that it existed at the stated time. Whether any document is admissible or persuasive in a legal process is for a court to decide, and we make no claim about that.
7. No professional-adviser relationship
Using the Services does not create a professional-adviser, fiduciary, or consultant-client relationship beyond the specific service purchased. For decisions with legal, regulatory, insurance, or material financial consequences, take advice from a suitably qualified professional. We sell business-first, to domain owners, from Defaults Exposed FZ-LLC, a UAE free-zone company — but consumer purchases are accepted, and nothing in this disclaimer removes any mandatory right consumer-protection law in your own country gives you.
8. Access prerequisites for done-for-you services
For Fix It For Me, the Grand Slam, and Fully Managed, work starts only after we confirm your domain is reachable — meaning we can work with whoever controls your DNS, registrar, and mail platform. We never ask for or accept passwords or credentials; access is by DNS delegation or guided change only.
If your registrar, DNS provider, or mail platform cannot support a required record or configuration (e.g. DNSSEC, CAA), or if you decline to grant the access the work requires, we explain the constraint before you pay and route you to the appropriate guarantee outcome rather than taking money for a result we cannot deliver. See the Refund & Guarantee Policy §4.3.