The State of Email & DNS Security 2026
We scanned 134 domains — 86 well-known brands and 48 security-niche domains — and scored each one on DNS, DNSSEC, IPv6, email authentication and web security. Snapshot dated June 10, 2026.
Grade distribution
Every domain earns a letter grade from A+ down to F. Here is how the full corpus breaks down.
Security control adoption
Share of domains that pass each control, ordered from the biggest gaps first. The controls at the top are where the corpus is weakest — and where most domains have the most to gain. Critical-severity controls are flagged.
TLD breakdown
The most common top-level domains in the corpus and how they score on average.
| TLD | Domains | Avg score |
|---|---|---|
| .com | 92 | 70 |
| .nl | 20 | 82 |
| .org | 9 | 70 |
| .io | 4 | 69 |
Hall of Fame
The domains that get it right — top scores across DNS, DNSSEC, IPv6 and email security. Each links to its full report.
| Domain | Group | Grade | Score |
|---|---|---|---|
| overheid.nl | brand | A | 95 |
| kpn.com | brand | A | 95 |
| cloudflare.com | brand | A | 92 |
| hackerone.com | security | A | 92 |
| belastingdienst.nl | brand | A | 91 |
| digid.nl | brand | A | 91 |
| redsift.com | security | A | 91 |
| internet.nl | security | A | 91 |
| rijksoverheid.nl | brand | A | 90 |
| easydmarc.com | security | A | 90 |
| ncsc.nl | security | A | 90 |
| globalcyberalliance.org | security | A | 90 |
| checkpoint.com | security | A | 90 |
| abnamro.nl | brand | C | 89 |
| politie.nl | brand | B | 89 |
| tuta.com | brand | B | 89 |
| crowdstrike.com | security | B | 89 |
| rabobank.nl | brand | C | 88 |
| postnl.nl | brand | C | 88 |
| hubspot.com | brand | B | 88 |
Methodology
This study is a fast, non-intrusive scan of a curated corpus of 134 domains — 86 well-known consumer and enterprise brands plus 48 domains in the security and infrastructure niche. We deliberately mix the two so the numbers reflect both how the mainstream web is configured and how security-focused organisations hold themselves to a higher bar.
Each domain is scored the same way the public IntoDNS.ai scanner scores any domain you enter: through DNS resolution and HTTPS probing only — no credentials, no agents, no impact on the target's servers. Scores aggregate DNS configuration, DNSSEC, IPv6 readiness, email authentication (SPF, DKIM, DMARC, MTA-STS, BIMI) and web-security controls into a single 0–100 score and a letter grade.
Because results come from a single point-in-time scan, transient resolver hiccups or rate-limiting can occasionally understate a domain. We treat inconclusive checks conservatively rather than as confident failures. This snapshot was generated on June 10, 2026. It is a benchmark of observable configuration, not an audit of internal controls or a compliance certificate.
How does your domain compare?
Scan your own domain for free and see exactly where you sit against this corpus — grade, score and a fix list for every gap. No signup required.
Building automation? The same scoring is available through the free public API and the IntoDNS MCP server for AI agents.