A comprehensive 12-check security audit of 306 domains belonging to Japan's largest publicly traded companies — including .com, .co.jp, and major subsidiary brands — every major Nikkei 225 constituent.
Domains are scored 0–100 across 12 checks: DNS security (DNSSEC, CAA, NS, SPF, DMARC), HTTP headers (HSTS, CSP, security.txt), email auth (MTA-STS, BIMI), and registrar hygiene (locks, enterprise registrar).
How many Nikkei 225 domains deploy each security feature? The results reveal major gaps.
Beyond DNS: HSTS enforces HTTPS, CSP prevents injection, security.txt invites responsible disclosure, MTA-STS encrypts email transport, and BIMI authenticates brand identity in email.
Average security score by industry sector. Finance leads; most sectors score below 30.
How does Japan’s corporate security posture compare to the US? Side-by-side comparison using the same 12-check methodology.
All 306 Nikkei 225 domains ranked by security score. Click column headers to sort.
| Company | Domain | Sector | Score | Locks | DNSSEC | DMARC | CAA | HSTS | CSP | sec.txt | MTA-STS | BIMI |
|---|
Each domain is scored across 12 dimensions, totaling 100 points max.
EPP status flags: clientTransferProhibited, clientDeleteProhibited, clientUpdateProhibited, and server-side equivalents
Presence of DS/DNSKEY records indicating DNSSEC is active
Certificate Authority Authorization records restricting which CAs can issue certs
Number of nameservers (4+ = 7 pts, 2–3 = 4 pts)
Using a corporate-grade registrar (CSC, MarkMonitor, Safenames, etc.)
DMARC record presence and policy (reject=10, quarantine=7, none=3)
Sender Policy Framework TXT record
Strict-Transport-Security header enforcing HTTPS (1yr=10, 30d=7, any=4)
Content-Security-Policy header preventing XSS and injection attacks
RFC 9116 standard for vulnerability disclosure at /.well-known/security.txt
Mail Transfer Agent Strict Transport Security — enforces encrypted email delivery
Brand Indicators for Message Identification — authenticated brand logo in email