Domain.Posture

Security & privacy vendors

Email security of 40 security & privacy vendors

Password managers, VPNs, and security platforms sell trust for a living — graded here on the same email-authentication basics they audit everyone else on.

Across these 40 domains, 92.5% publish SPF, 95% publish DMARC and 82.5% enforce it (reject or quarantine), 12.5% sit on p=none, and 60% sign with DKIM. Scanned June 24, 2026.

Every domain in this cohort

DomainSPFDMARCDKIMMTA-STSTLS-RPT
1password.comSoftfailQuarantineYesNoNo
auth0.comHardfailQuarantineYesNoNo
beyondidentity.comHardfailQuarantineYesNoNo
bitwarden.comSoftfailRejectYesNoNo
checkmarx.comHardfailQuarantineYesNoNo
cyberghostvpn.comHardfailQuarantineNoNoNo
dashlane.comHardfailRejectYesNoNo
duo.comSoftfailRejectYesNoNo
expressvpn.comNoneQuarantineNoNoNo
gitguardian.comHardfailRejectYesNoNo
hardenize.comSoftfailRejectYesNoYes
infisical.comSoftfailQuarantineYesNoNo
ivpn.netHardfailRejectNoNoNo
lastpass.comPresentRejectYesNoNo
mullvad.netHardfailRejectNoNoNo
nordpass.comHardfailRejectYesNoNo
nordvpn.comHardfailRejectYesNoNo
okta.comSoftfailRejectNoNoNo
onelogin.comHardfailRejectYesNoNo
openvpn.netSoftfailQuarantineYesNoNo
protonmail.comSoftfailQuarantineNoNoNo
protonvpn.comSoftfailQuarantineNoNoNo
purevpn.comSoftfailQuarantineYesNoNo
securitytrails.comHardfailQuarantineNoNoNo
signal.orgSoftfailQuarantineYesYesYes
snyk.ioSoftfailQuarantineYesNoNo
surfshark.comSoftfailRejectYesNoNo
tailscale.comSoftfailRejectYesNoNo
torguard.netHardfailQuarantineYesNoNo
tutanota.comHardfailQuarantineNoYesYes
veracode.comSoftfailRejectNoNoNo
windscribe.comSoftfailQuarantineNoNoNo
yubico.comSoftfailRejectYesYesYes
censys.ioSoftfailNone (monitor)YesNoNo
keeperpasswordmanager.comNoneMissingNoNoNo
shodan.ioHardfailNone (monitor)NoNoNo
torproject.orgSoftfailNone (monitor)NoNoNo
truffle-security.comNoneMissingNoNoNo
tunnelbear.comHardfailNone (monitor)NoNoNo
zerotier.comSoftfailNone (monitor)YesNoNo

Where does your domain stand?

Run the same 15 checks on your own domain — free, no signup. If you need the result as evidence, the signed Domain Audit Report turns it into a dated artifact your auditor can verify.