Q2 2026 · preview edition

AttackEdge Australian SMB Exposure Index.

A passive external security check against 30 publicly-registered .com.au domains across web agencies, accountants, professional services, allied health, ecommerce, and real estate. No active probing, no logins, no exploitation. Results aggregated; no individual business identified.

Sample size 30Published 2026-05-10First-edition snapshot
Headline finding

Three numbers worth knowing.

DMARC is a single DNS record. The most common gaps cost nothing to fix but expose every customer to a spoofed email.

No DMARC
70%

21 of 30 sampled domains have no DMARC record published. Anyone on the public internet can send email that looks like it comes from them.

Site unreachable
43%

13 of 30 domains either had no resolving DNS for the apex or returned a TLS handshake error. Visitors cannot reach the site from a fresh browser session.

No CSP
88%

15 of 17 HTTPS-reachable domains ship no Content-Security-Policy header. A single cheap line that blocks broad categories of browser-side attack.

Email authentication

SPF, DKIM, DMARC across the sample.

Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) are the three records that tell receiving mail servers whether a message claiming to be from a domain is real. All three exist as DNS records published by the domain owner.

FindingSampleComment
No DMARC record published21 of 30 · 70%Domain can be spoofed by anyone on the public internet.
DMARC published with policy=none4 of 30 · 13%Reporting only — does not protect recipients yet.
DMARC published with policy=quarantine1 of 30 · 3%
DMARC published with policy=reject4 of 30 · 13%Strongest setting; blocks spoofed mail.
No SPF record published15 of 30 · 50%Receivers cannot tell which servers are allowed to send for the domain.
No DKIM (default selectors)23 of 30 · 77%We checked the most common selectors. Real adoption is likely a few points higher when uncommon selectors are used.
No MTA-STS policy30 of 30 · 100%Mail-in-transit downgrade protection is rarely deployed at this scale.
TLS and HTTP headers

Web posture on the reachable sites.

The stats below count the 17 of 30 domains whose website was reachable on HTTPS during the scan window. The remaining 13 had no resolving DNS for the apex or returned a TLS handshake error, which is itself a finding (visitors cannot reach the site at all from a fresh browser session).

FindingSampleComment
Domain not resolvable or HTTPS unreachable13 of 30 · 43%Either DNS missing, certificate broken, or website moved without DNS update. A finding in itself.
No HSTS header10 of 17 · 59%
No Content-Security-Policy header15 of 17 · 88%
No X-Frame-Options or frame-ancestors14 of 17 · 82%
No X-Content-Type-Options header13 of 17 · 76%
No Referrer-Policy header17 of 17 · 100%
No Permissions-Policy header17 of 17 · 100%
HTTP does not redirect to HTTPS3 of 17 · 18%Visitors on a coffee-shop Wi-Fi can be downgraded.

TLS protocol notes

  • All 17 HTTPS-reachable domains accepted TLS 1.2 or TLS 1.3.
  • 13 of 17 negotiated TLS 1.3 by default; the remainder negotiated TLS 1.2.
  • No certificates were observed expiring within 30 days.
  • No TLS 1.0 or TLS 1.1 was negotiated by any sampled domain.

What does this mean for your business?

None of these findings are obscure or expensive to fix. Most are single DNS records or a one-line web-server change. They are the kind of items a competent web developer or IT provider can address in an afternoon when given a clear list. They are also the kind of items that show up on cyber-insurance questionnaires, in larger-client procurement reviews, and in client trust conversations.

AttackEdge is built to make this list visible, then send it to whoever fixes things in your business. We do not change your systems and we do not replace a manual penetration test. We give you a plain-English report and a technical fix list you can hand to your developer, MSP, or in-house IT.

Run a free check on your domain View a sample reportSee pricing
Methodology and caveats

How the sample was measured.

  • Sample. 30 publicly-registered .com.au domains spanning web agencies, accountants, allied-health-adjacent services, real estate, ecommerce, and professional services. The sample is small and not weighted to the full Australian SMB population. Treat the numbers as indicative, not definitive. We will publish a fuller edition once we cross 100 free-check participants.
  • What was measured.Public DNS records (SPF, DKIM at common selectors, DMARC, MTA-STS, MX) and a single HTTPS request to each domain's root URL. The TLS handshake reveals certificate expiry, negotiated protocol, and cipher; the HTTP response reveals security headers.
  • What was not measured. No active probing, no port scanning, no authentication attempts, no internal pages or admin interfaces, no vulnerability exploitation. Each domain received a single TLS handshake and one HTTPS GET — the same load a single browser visit creates.
  • Anonymisation. No business is named in this report. Aggregated counts and percentages only. The seed domain list is kept locally and is not published.
  • Reproducibility. The script is open and lives in our marketing-site repo. Anyone with a domain list can re-run the same checks against their own sample.
  • Not legal advice. Findings here are technical measurements. Any compliance, insurance, or contractual implications should be discussed with a qualified professional for your specific situation.
  • How DKIM was tested. We probed the common default selectors (default, selector1, selector2, google, k1, s1). Domains using uncommon selectors will register as DKIM-missing here even when they have a working DKIM setup, so the real DKIM-adoption number is likely a few points higher than reported.
Check your own domain

See where your business sits against the sample.

The free check covers the headline issues on your domain in about a minute. Same shape, your data.

Run a free check See pricing