We ran a small first-edition sample of the AttackEdge Australian SMB Exposure Index in early May 2026: 30 publicly-registered .com.au domains across web agencies, accountants, allied-health-adjacent services, real estate, ecommerce, and professional services. The full data lives at the /smb-exposure-index page; this post is a reading.
We did not log in, did not exploit, and did not actively scan anyone's systems. Each domain received the same lookups any receiving mail server or browser performs on a single visit: public DNS queries (DMARC, SPF, DKIM at common selectors, MTA-STS, MX), one TLS handshake on port 443, and one HTTPS GET to the apex. No business is named anywhere in the dataset or in this post.
Headline: 21 of 30 had no DMARC record
70% of the sample published no DMARC record at all. Of the nine that did publish a record, four were at p=none (reporting only — does not actually block anything yet) and only four were at the strongest setting, p=reject. Adoption of the strongest DMARC policy across the sample was 13%.
A missing DMARC record means anyone on the public internet can send email that looks like it comes from your domain. Receivers have no easy way to detect the spoof. This is the most common precursor to invoice-fraud attacks against Australian small businesses, where a customer pays an invoice that appears to come from a legitimate supplier but lands in a stranger's bank account. Adding the record is one DNS line; adding it well takes two-to-four weeks of monitoring before tightening the policy.
SPF and DKIM follow the same pattern
Half the sample (15 of 30) had no SPF record. About 23% had a DKIM record at one of the six common selectors we probed; some more domains likely use uncommon selectors and would register as DKIM-missing in our methodology, so the real adoption number is likely a few points higher than reported.
SPF, DKIM, and DMARC are three records that work together. Any one of them missing weakens the protection. All three are configured in DNS by whoever manages your domain; none of them require code changes on your website.
13 of 30 had no resolving website
About 43% of the sampled domains either had no DNS A record for the apex or returned a TLS handshake error. We did not investigate each one individually — that would have meant going beyond passive measurement — but the pattern is consistent with stale registrations, broken hosting moves, and certificate misconfigurations that haven't been noticed because nobody is monitoring the domain.
For a small business, “your website does not load from a fresh browser session” is a security finding before it is a marketing finding. Visitors who cannot reach your site become targets for whoever ranks above you in search, including impersonators.
Security headers are missing on most reachable sites
Of the 17 domains where HTTPS was reachable, the security-header story looked like this:
- 59% had no HSTS header.
- 88% had no Content-Security-Policy.
- 82% had no X-Frame-Options or modern frame-ancestors directive.
- 76% had no X-Content-Type-Options.
- 100% had no Referrer-Policy or Permissions-Policy.
Most of these are single-line web-server changes. None of them will break a working website if added carefully. They show up on cyber-insurance questionnaires, in larger-client procurement reviews, and in browser-vendor consoles that customers occasionally open.
The hopeful signs
TLS protocol adoption was good across the reachable sample: every site negotiated TLS 1.2 or TLS 1.3 by default. Thirteen of 17 defaulted to TLS 1.3, which is the modern best practice. No certificate was observed expiring within 30 days. No site in the sample still accepted TLS 1.0 or TLS 1.1. The cipher and protocol layer is the one place where AU SMB hygiene is broadly reasonable, mostly because Cloudflare and most managed hosting platforms set strong defaults that owners do not have to think about.
What to do about it
If you run a small business and you don't know whether your domain has a DMARC record, the fastest way to find out is the free tool we just shipped: /tools/dmarc-checker. Plain English, no signup, public DNS only. Works for any .com.au, .au, or other domain.
If you want to find out what else is exposed, the free check at AttackEdge runs the passive parts of a full scan in about 60 seconds. The paid plans cover the active checks (port discovery, web-server fingerprints, exposed admin panels, vulnerable software versions) and produce a report you can send to your IT or web developer with one click.
We will publish a fuller edition of the SMB Exposure Index after the first 100-250 free-check participants. The numbers above are a sample, not a definitive measure of the Australian SMB landscape.