Domain Security Report 2026

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo and other engagement features. To set up a live demo, please complete the form above on our website. If you currently are not on our website and are watching us on our YouTube channel, there's a link to the website in the description of this video. Thank you.

Christy: Hello, everyone, and welcome to today's webinar, "Domain Security Report 2026." My name is Christy DeMaio Ziegler, and I will be your moderator.

Joining us today is Quinn Taggart. Quinn is a product coach for Digital Brand Services and assists clients in the areas of online brand and cybersecurity strategy. Quinn has been with CSC for over 20 years, and his wealth of experience and knowledge is appreciated by brand owners as he helps them to better understand their evolving digital asset portfolio and minimize their risk. And with that, let's welcome Quinn.

Quinn: Thank you, Christy. I want to welcome everybody to today's webinar on our Domain Security Report 2026. I've had the honor of being able to be involved with this report since we began it over five years ago, and I've been one of the principal architects of the data gathering and so on. So I'm very in touch with what we're going to present today. And it formulates a bit of an anchor for a lot of the strategic work that we do here at CSC with the DBS Department and on the Brand Advisory team, which is what I'm a part of.

One of the key aspects of the Domain Security Report is that we're going to focus a bit on the external attack surfaces. And it comes in many, many forms, right? So people are very familiar with the phishing attacks and the ransomware attacks. These are the things that get the most "news" as you're well aware if you're paying attention and following along. But there are a lot of behind-the-scenes kinds of things that people can do and as domain owners can do in order to help protect their assets online. A lot of companies still view the domain inventory as a bit of a money pit and not as a true asset to the company, which they really are.

And so as we go through and look at the next slide, the types of threats can vary. And realistically a lot of folks are going to be focused on internal aspects of it. How's our firewall? Are we keeping the bad guys out?

But when it comes to brand reputation and your online presence, it usually starts with a domain name. Now whether you own the domain name or whether somebody else does, that's where things go sideways. And so that's where things like phishing attacks and ransomware attacks will all come into play. Usually, they'll hinge on a bit of a human element point of view as well. So the whole aspect of a phishing attack or social engineering ransomware and the like may require somebody to click on something. And so the target audience is going to be trying to avoid clicking on stuff that they're not supposed to click on. But we all know that that happens. And so trying to protect yourself by looking at your internal inventory that you already have and just making sure that you dot your i's and cross your t's.

Let's dive right into the findings. And so what we do for the Domain Security Report is we look at the Forbes Global 2000 companies, and then what we do is we assess their core domain names for those Global 2000 companies. And one of the big aspects when you're doing that, of course, is that the expectation is that how you treat your core, critical anchor domain should cascade down into the thought processes towards the rest of the domain inventories. So if we see companies that are paying attention and are utilizing the security features that are available to them for their core domains, then chances are they're taking those into consideration for the rest of their domain inventory.

And as we can see here, when we start looking backwards into 2020 on through, the idea when it comes to the trends towards DMARC and DNS redundancy, registry lock, CAA records, and DNSSEC, they're all mapped out here, and you can see most of them are on an upward tick, as we would expect. DMARC, of course, has had the greatest adoption as we go along. That's your email security. That's your Cadillac version of your email security. So we certainly would expect that to happen.

Some of the other areas, like registry lock, are a little bit tougher to get folks to realize how much of an impact that sort of thing can have. But that really kind of ties in, and we'll see later on, when we look at enterprise-level registrars compared to consumer-grade registrars. And that makes a big difference because registry lock is a bit of a manual process, and that's not as easy to exact in a consumer-based environment.

So when we get away from some of these, we're going to look at DMARC because of the way in which it's climbed. It's really blown up quite a bit over the last five, six years. And we were hoping, of course, to see the same with the rest of the elements, but we haven't seen that sort of climb as we have with DMARC.

But there are a couple of key critical elements that go with DMARC, one of which, of course, is that what does DMARC actually do? And it really, at a simple explanation, kind of prevents people from spoofing your domain names in email traffic. So what we're seeing is that, at one point, DMARC might have been only on the domain names that were actually being used for email within an organization. But what we're seeing in the last while, of course, is that a lot of folks are applying DMARC to every domain in their inventory as a default.

Good point for that is that now nobody can spoof any domain that you have registered in your portfolio. Whether you're using it for email or not is irrelevant. If they can spoof it and associate it with you online, well, it's a greater risk to you, but a greater aspect towards them being successful in their phishing campaigns.

But one of the key aspects towards setting DMARC up properly is what we call the reject policy. So when we look at the DMARC records itself, one of the key aspects is this record here in the middle, p=reject, this spot right here. And one of the key pieces there is that you can set it to reject, you can set it to quarantine, or you can set it to none. And the idea is that if you don't set it to reject, or you don't set it to quarantine, all you're really doing is watching, because it's not doing anything with those DMARC records that you have set in there. So you need to make sure that your reject policy is actually being set up properly so that you can go and take action against any unauthorized emails that'll go through and try to spoof your inventory.

So one of the other key aspects, of course, is the registry lock. And as I mentioned before, what does it really do? And essentially, it's a cost-effective way to make sure that your critical domains cannot have any accidental or unauthorized modifications or deletions. In this day of automation, if you go and put in an order to, let's say, change the DNS on any of your domains in your inventory, and you accidentally slide in your mission-critical domain name, don't notice, and you make a DNS update, that's a real problem. I mean, obviously, you're going to take your site offline. It can take your email offline. And while it might take 30 seconds to execute, it can take up to 72 hours for it to cycle back properly through local internet service providers and the like. So it can be quite a damaging event to have that accidental update towards the domain names.

What registry lock will do is interrupt that automation with a manual process. It requires callbacks. It requires passcodes. Everything is done on a manual basis that way on purpose. And this is where consumer-based or retail-based registrars run into trouble offering this particular service. It's because they're not geared towards a manual process. They're geared towards automation all the way.

So who's using the registry locks? Well, what we're seeing with the data that we've compiled is around half or 53% of the companies that are using enterprise-class registrars use registry locks, and that's up from last year. But only 6% of those that are using consumer-based registrars are using registry locks. A couple of reasons for that. One, as I mentioned, it's a manual process, so a lot of the consumer-based registrars don't offer the service at all. Even though it's eligible, that extension might be eligible for registry lock, they're not offering the service because they really just don't have the resources internally or the mechanisms internally to be able to deal with that.

The other side of it, of course, is that a lot of folks that are using consumer-grade registrars aren't getting the support that they need. They're not getting strategic advice. They don't have a dedicated support team. You're going to get that with an enterprise-class registrar. You're going to have people that are giving you that advice and that additional attention that you need in order to make sure you're not only aware that these exist, these elements exist, but to make the recommendation that you actually use them.

So why use an enterprise-class registrar? Well, companies that use enterprise providers are generally more aware of security measures, as I mentioned. The support structure is generally a little bit more formal, resource-heavy in order to be able to give you the guidance and the advice that you're going to need to make sure that you're taking the full advantage of all the measures that are available.

Now besides the awareness, most consumer-grade registrars, they don't offer these sorts of things because they're a manual process, as I mentioned before. And I can't emphasize that enough because they're all about the automation, and that's where their pricing model hangs is all on the automation. So they're not offering a lot of the critical TLDs that might exist out in the world because they, too, are still manual. Not every extension that's available to you on the internet is automated. There are some that still require forms. They still require a manual process, manual handling. A lot of these retail or consumer-grade registrars are not going to be able to handle those kinds of extensions simply because of that process.

And we can see from the graph as well where things fall when it comes to enterprise versus the consumer grade. And the biggest difference is in that registry lock.

Now regionalization is another aspect of this particular report. And when we divide things up into three major areas, we've got, of course, the Americas, we've got EMEA, and then we've got Asia-Pacific. Now Asia-Pacific also includes, of course, Australia, which is a major market, as well as all of the Asian countries, India, and so on. And the key part to remember is that for the folks that are in the APAC region, a lot of them are using those consumer-based registrars. They're grabbing the one-offs. They're going and getting what they need, and they're not really paying as much attention, unfortunately, to the additional resources that are required when it comes to keeping their assets safe.

So over the past few years, there's been a lot of volatility in the overall ranking scores in some of the critical industries. And we've seen that last year, where banking and healthcare took some radical moves. Between '23 and '24, healthcare went from a rank of 5th down to a rank of 12th. Now you wouldn't expect that from the healthcare industry. You would hope, given ransomware attacks and some other stuff that's been in the news, that they would be a little bit more diligent. And, of course, banking. Banking is still middle of the pile. It's unfortunate that they're not climbing like they should. They went from 14 to 16 up to 11. So hopefully that's a trend for them and that we'll continue to see the banking industry climb.

The strongest providers, of course, are still IT, media, and business services. That's good. They're consistently there. And unfortunately, there are lowest performers, like the utilities market where everybody hinges on the grid, but yet the utility companies seem to not be as on top of things when it comes to utilizing domain security measures.

When we look at the actual risk levels themselves, and what we do is we look at the elements themselves that are in place, and then assign a score based on that. Of course, zero means you don't have anything in place. A hundred percent, of course, means you have them all in place. However, we're not seeing a lot in the "100% security score" unfortunately. And 67% of the Global 2000 have less than half of the recommended security measures implemented.

But again, in looking at the regionalization, and we're not trying to pick on anybody in particular, but when we look at the zero scores, we're seeing a great number of those zero scores coming up in the APAC region when it comes to looking at these measures. And again, I think a lot of that has to trail into the fact that a lot of the APAC companies are using those consumer-grade providers, and they're just not getting the advice that they really should be getting when it comes to which measures to put into place and how best to apply them.

So generally, when we start to look at the Global 2000, we'll also look a bit towards the core names, and we'll have a peek at what we call homoglyphs or typos and substitution type attacks that are on those particular brand strings themselves. And so what we do is we run these through some internal tools and come out with some suggestions on what sort of substitutions might make sense, and then we'll gauge availability on those particular domains. We'll have a look at the WHOIS details. We'll try to figure out whether or not the clients or companies themselves actually own those domains from a defensive standpoint, or whether it's all third-party stuff.

And so some of the more popular substitutions are things like a C for an E, a zero for an O. M and M's is a popular one. When we get to I's and L's, you get I, L, and a one. Those are also popular substitutions as well. This is an attack vector that has become and stayed fairly steady and popular over the years, simply as a quick and easy way for the bad actors to trick folks into clicking on links and making it look like an email might be coming in from a reliable domain source. So rather than trying to spoof a legitimate domain name, because DMARC is on the rise and everybody is kind of protecting themselves that way, they'll register one of these little typo or lookalikes and then try to trick folks into quickly looking at that and thinking, "Oh, this is legit," and then clicking on whatever link they may have inside. And so when we go through our research from this, this is what we're finding.

Now a lot of the domains that we see are what we call dormant domains. They're inactive. If you type it into a browser, you're not going to get anything, likely get an error message, but that doesn't mean that they're not intending to use them at some point. And what the bad actors will do is they'll register the names, and they'll leave them dormant for a while, and then they'll come back to them and activate them. And that time difference between the registration and when they actually activate them up, gives them a bit of a window of opportunity to make sure that they don't get blacklisted and they don't run into trouble with them. People will look at it and say, "Oh, the domain has been registered for a while, and maybe I can trust it, or whichever." Right?

However, one of the key factors to remember, when we're dealing with these sorts of things, is that the domains don't have to have an active website on them in order to be used for email. If you put a name into a browser and you get an error, that doesn't mean that it can't send active email out. And that's one of the real, real challenges when we go through and do these sorts of analyses on behalf of our clients, is that when you're looking at whether the domains are active or not, it's not just whether they resolve to live content. It's whether or not they're active from an email standpoint as well. So it can be easily weaponized for email activity, such as phishing, but that's the key.

What we also look towards is trying to connect the dots between what we're seeing in the Forbes 2000 and some other angle when it comes to corporate domain use online. And one of the things that we decided to pick on this time around was we wanted to look at the top 100 unicorns. So the definition of a unicorn, it's a privately held company. It's got a valuation of at least a billion dollars. These are usually startups, relatively new companies. That means that they're not going to show up necessarily on the Forbes 2000 list, which is by and large established companies and they've been active for a while. So these new, fresh, quick startups are not going to show up on that Forbes 2000 list. So what we wanted to do was to compare them into the Forbes 2000 and see how they kind of stack up.

Now there was no surprise that most of the top 100 unicorns are in the IT sector. That is where the biggest bang for the buck is when it comes to these sorts of companies. But that doesn't necessarily mean that they were going to be on top of the domain security. Now some exceptions exist, of course. But a byproduct of most of these companies is that they're using consumer-grade registrars. That puts them at a bit of a disadvantage, no different than the Forbes 2000.

But they may be just a little bit more aware of what's going on as far as these security elements are concerned. And as you can see, they stack up pretty good, or are better than the Forbes 2000 for some of these particular elements, simply given the fact that they're IT-oriented and are likely, just by virtue of that, a little bit more aware of what the elements can be and so on. So they stack up fairly evenly when it comes to the scores as well. We see not that many unicorns in the bottom of the pile, a lot of them in the middle, and very, very few at the top, very similar to the Forbes 2000.

So in summary, these are recommendations we can definitely make for everybody. You should be looking at your inventory with a critical eye. You're going to adopt a defense-in-depth approach. Make sure that you're putting a lot of effort on the core, and then slowly work yourself out towards the rest. Continuously monitor and protect your domain and digital channels. Take advantage of global enforcement. That's really key.

The balancing act along the way is that if you're going to consider yourself a little bit more risk-takers or risk-neutral when it comes to your domain inventory, you're going to want to counter with a more robust monitoring and enforcement package in order to help prevent your brand abuse, your infringements, your phishing, your fraud online. It doesn't take long for your reputation to go in the tank due to some sort of an issue online, but it takes a long time to get it back. You also want to make sure you're confirming your vendor business practices and making sure they aren't contributing to fraud and brand abuse online.