I Audited 5,000 Domains Across Fortune 500 & Top AI Companies

A comprehensive analysis of DNS security, HTTP headers, email authentication, and registrar hygiene across 576 companies — every Fortune 500 plus 29 leading AI companies — 12 security checks each.

March 1, 2026 · 576 companies · 5,000 domains · 12 security checks per domain · Automated with DALI Engine

Key Findings

5,000 domains audited across 576 companies (Fortune 500 + 29 AI leaders) — 12 security checks each
Average score: 21.4/100 — a failing grade across the board
95.9% have no security.txt — they literally don't want you to report vulnerabilities
99.4% have no MTA-STS — email transport is not encrypted by policy
92.9% have no DNSSEC — DNS responses can be spoofed at scale
82.0% have no CSP header — wide open to XSS and injection attacks
71.4% have no HSTS — HTTPS is not enforced by the browser
Not a single domain scored 90+ out of 5,000 — including OpenAI, Anthropic, and xAI

21.4

Average Security Score (out of 100)

95.9%

No security.txt

99.4%

No MTA-STS

82.0%

No CSP Header

Score Distribution

Domains are scored 0-100 across 12 checks: DNS security (DNSSEC, CAA, NS, SPF, DMARC), HTTP headers (HSTS, CSP, security.txt), email auth (MTA-STS, BIMI), and registrar hygiene (locks, enterprise registrar).

Security Score Distribution

Score Categories

Security Feature Adoption

How many Fortune 500 domains deploy each security feature? The results are stark.

All 12 Security Checks

DMARC Policy Breakdown

HTTP Security & Email Auth

Beyond DNS: HSTS enforces HTTPS, CSP prevents injection, security.txt invites responsible disclosure, MTA-STS encrypts email transport, and BIMI authenticates brand identity in email.

28.6%

Have HSTS Header

18.0%

Have CSP Header

4.1%

Have security.txt

0.6%

Have MTA-STS

Infrastructure Analysis

Who hosts the DNS for the Fortune 500? Where are their domains registered?

DNS Provider Distribution

Registrar Distribution

Full Results

All 5,000 domains across 576 companies (Fortune 500 + AI) ranked by security score. Click column headers to sort.

Company	Primary Domain	Avg Score	Locks	DNSSEC	DMARC	CAA	HSTS	CSP	sec.txt	MTA-STS	BIMI

Methodology

Each domain is scored across 12 dimensions in 3 categories, totaling 100 points max.

Registrar Locks

EPP status flags: clientTransferProhibited, clientDeleteProhibited, clientUpdateProhibited

15 points max

DNSSEC

Presence of DS/DNSKEY records indicating DNSSEC is active

10 points

CAA

Certificate Authority Authorization records restricting which CAs can issue certs

8 points

NS Redundancy

Number of nameservers (4+=7, 2-3=4)

7 points max

Enterprise Registrar

Using a corporate-grade registrar (CSC, MarkMonitor, Safenames, etc.)

5 points

DMARC

DMARC record presence and policy (reject=10, quarantine=7, none=3)

10 points max

SPF

Sender Policy Framework TXT record

5 points

HSTS

Strict-Transport-Security header enforcing HTTPS (1yr=10, 30d=7, any=4)

10 points max

CSP

Content-Security-Policy header preventing XSS and injection attacks

10 points

security.txt

RFC 9116 standard for vulnerability disclosure at /.well-known/security.txt

10 points

MTA-STS

Mail Transfer Agent Strict Transport Security — enforces encrypted email delivery

10 points

BIMI

Brand Indicators for Message Identification — authenticated brand logo in email

5 points