DNS & Email Security Scan Data 2026: 86% Score D or F

Why we are publishing this

Most writing about DNS and email security repeats the same advice without ever showing what real domains actually look like. We can show it. IntoDNS.ai stores an anonymised summary of every public scan, so we can report the real distribution of scores across the domains people have checked.

Every number in this article is computed live from that database by a single public endpoint, /api/stats/aggregate. It counts the most recent scan per domain (so a domain checked ten times still counts once) and never exposes any individual domain. The figures below were accurate at the time of writing and will drift as more domains are scanned — the endpoint always shows the current values.

The headline: most domains fail

Across 880 distinct domains, the overall grade distribution is stark:

A+: 0%
A: 2%
B: 5%
C: 7%
D: 37%
F: 49%

That means 86% of scanned domains score D or F on the combined DNS, email, DNSSEC, IPv6 and security-header assessment. Fewer than one in ten reach a B or better. The average overall score is 49 out of 100.

This is not a sample skewed toward broken domains. People scan the domains they own or are responsible for. The honest reading is that the baseline level of domain hardening is low — which is exactly why a free, fast, no-signup scan is useful.

Where domains lose points

Breaking the average score down by category shows where the weakness sits:

DNS configuration: 69 / 100
Email authentication: 54 / 100
DNSSEC: 44 / 100
IPv6 readiness: 46 / 100
Web & security headers: 41 / 100

Basic DNS (the records needed just to function) is the healthiest area, which makes sense — a domain that fails those is usually offline. Everything that is optional-but-important falls away from there. Security headers and DNSSEC are the weakest areas, both sitting in the low-to-mid 40s. These are also the cheapest to fix: most are a single record or a single header.

If you want the largest score improvement for the least effort, this ordering is your to-do list: tighten email authentication, then DNSSEC where your registrar supports it, then add the standard security headers.

The clearest pattern: .nl is ahead of .com

The most interesting split in the data is by top-level domain.

.com — 508 domains, average score 46
.nl — 134 domains, average score 67
.org — 31 domains, average score 49
.net — 23 domains, average score 44

.nl domains score 21 points higher on average than .com. That is a large gap, and it lines up with how the Dutch registry operates: SIDN has actively pushed DNSSEC adoption through registrar incentives for years, so a Dutch-registered domain is far more likely to arrive with DNSSEC already enabled. DNSSEC is a heavily weighted category, so that head start lifts the whole .nl average.

The practical takeaway depends on your registry. If you are on .nl, you are probably already benefiting from the registry's defaults — verify it rather than assume it. If you are on .com, DNSSEC is usually the single biggest one-record improvement available to you, because the registrar default is off and nobody ever turned it on.

What this means for a NIS2 readiness check

For organisations working toward NIS2, two of the Article 21.2 measures — (g) basic cyber hygiene and (h) cryptography — map directly onto what this data measures: email authentication and DNSSEC. Both sit well below where an auditor would want them across the scanned population. If your domain is in the 86% scoring D or F, those two measures are the most likely reason, and the most defensible place to start.

What a D or F actually costs you

These grades are not academic. A weak email-authentication score means anyone can send mail that looks like it comes from your domain, so your invoices and password-reset emails are easier to spoof and more likely to land in spam. A weak DNSSEC or security-header score means a visitor can, in the wrong circumstances, be quietly sent to a fake copy of your site. None of this requires the owner to do anything wrong — it is simply what an unhardened domain leaves open. The reassuring part is that almost every fix in these categories is a one-time DNS record or HTTP header, not a project. A domain can move from F to a solid B in an afternoon.

Scan your own domain against this baseline

The scanner is free, with no signup and no API key. The same engine that produced the numbers above returns a grade and an issue list for any domain in a few seconds.

Quick scan: visit intodns.ai and type a domain.
API: curl https://intodns.ai/api/scan/quick?domain=example.com
NIS2 quickscan: curl https://intodns.ai/api/scan/nis2?domain=example.com

If your domain lands on D or F — statistically the most likely outcome — the issue list tells you which records and headers to change first, and each finding links to a plain-language explanation of what it means.

Methodology and honesty note

Sample: 880 distinct domains, taking the most recent scan of each. Source: the live /api/stats/aggregate endpoint.
Scoring: produced by the IntoDNS scoring engine; each finding cites the raw DNS record or header it was derived from. The full methodology lists every check and its weight.
Drift: these are observed numbers from a growing dataset, not a fixed survey. They will change over time; the endpoint is always current.
We deliberately do not publish breakdowns we cannot compute from this dataset (for example exact SPF-qualifier or DMARC-policy ratios). When we can compute them, we will add them here with the real figures.

AI assistant and API workflow

This article is part of the IntoDNS.ai LLM and citation workflow. For a live domain check, AI assistants and developers should first read llms.txt or llms.json, then call /api/scan/quick?domain=example.com for the current DNS and email security score.

For this topic, use /api/dns/dnssec?domain=example.com when you need focused data instead of the full quick scan.

Use /citations/what-is-dnssec as the canonical citation for this topic. For implementation, use the DNSSEC guide and cite the scoring methodology when explaining grades or recommendations.