The Australian SMB Posture Baseline is a quarterly measurement of the real, public-facing security posture of Australian small business websites — what their DNS, email authentication, TLS and HTTP security configuration actually looks like from the outside, measured across the same five categories as every Red Bridge Cyber customer scan: Security, Email, Domain, Speed and Visibility. The cohort is Australian small-to-mid-size businesses on .com.au domains. It is the reference cohort of the research programme — the baseline every other cohort is compared against, and the dataset behind every statistic we publish.
When an article on this site says something like (Red Bridge Cyber SMB Posture Baseline, June 2026), this page is what that citation points to.
Current edition — June 2026
The June 2026 edition (the first) scanned a deterministic sample of 150 domains drawn from a validated pool of Australian small business domains (.com.au), completing on 12 June 2026. Results below; how every number is produced is on the methodology section.
Executive summary of findings
The June 2026 edition scanned 150 Australian small business websites. The headline: the typical Australian small business website earns an F (20/100) for web security, an E for DNS hardening and a C for email posture — while scoring an A+ on the visibility basics.
- Security is the weakest category. 79% of scored sites publish no Content-Security-Policy, 70% send no HSTS header, and 38% do not even enforce HTTPS.
- The DMARC gap is the email story. 83% of small businesses publish a DMARC record but only 43% enforce it — most have done the easy half of anti-spoofing and stopped.
- DNS hardening is near-absent. DNSSEC 2%, CAA 5%, MTA-STS 3% — the controls that protect the domain itself are essentially undeployed.
- Visibility is the bright spot. The technical-SEO basics are near-universal — but the new AI-search surface is open ground: only 12% publish AI-crawler rules and 19% an llms.txt.
Full results tables below. Every number reports its sample honestly: 150 domains sampled, and every domain we could not score is disclosed with its reason.
Email posture — can the domain’s mail be trusted, and can the domain be spoofed? Median grade C (77/100). Share of the cohort passing each check:
| Check | % passing |
|---|---|
| Mail-routed (MX with STARTTLS) | 95% |
| SPF | 89% |
| DMARC | 43% |
| DKIM | 79% |
| MTA-STS | 1% |
| TLS-RPT | 4% |
| DNSSEC | 2% |
| Reverse DNS | 93% |
All 150 sampled domains were scoreable for email.
Domain
Domain (DNS) posture — the records that protect the domain name itself. Median grade E (39/100). Share of the cohort with each control in place:
| Check | % with control |
|---|---|
| SPF record | 93% |
| DMARC published | 83% |
| DMARC enforced (quarantine/reject) | 43% |
| DNSSEC | 2% |
| CAA record | 5% |
| MTA-STS | 3% |
| IPv6 at the apex | 21% |
All 150 sampled domains were scoreable for domain.
Security
Web security posture — TLS configuration, security headers and the basics of a defensible website. Median grade F (20/100), the weakest category measured. Share of scored sites missing each control:
| Check | % missing |
|---|---|
| HTTPS enforcement | 38% |
| HSTS | 70% |
| Content-Security-Policy | 79% |
| X-Content-Type-Options (nosniff) | 63% |
| Referrer-Policy | 81% |
| Permissions-Policy | 93% |
| TLS 1.3 | 34% |
| security.txt | 99% |
141 of 150 sampled domains scored (9 redirect-only — see Commentary).
Visibility
Visibility — the technical signals that decide whether a site can be found, by search engines and now by AI assistants. Measured for the SMB cohort only (why below). Median grade A+ (96/100) — the strongest category in this cohort, and the one place the bar is higher than most owners think.
| Check | % with signal |
|---|---|
| HTTPS enforced | 94% |
| Page title | 99% |
| Mobile viewport | 97% |
| Meta description | 88% |
| XML sitemap | 94% |
| robots.txt | 93% |
| Sitemap referenced in robots.txt | 78% |
| Canonical tag | 88% |
| JSON-LD structured data | 75% |
AI-search readiness is the open ground — the signals AI assistants and answer engines look for:
| Check | % with signal |
|---|---|
| AI-crawler rules in robots.txt | 12% |
| llms.txt | 19% |
10% of scored sites serve mixed (insecure) content on an otherwise-HTTPS page.
145 of 150 sampled domains scored (5 unreachable — see Commentary).
Why visibility is measured for the SMB cohort only
We scan all five cohorts on Security, Domain and Email for exactly one reason: so a small business can see how it stacks up against the big end of town on the same checks. Visibility is the one category where that comparison would mislead rather than inform. Search visibility for a small business is a contest fought on a single website with table-stakes signals — the things this section measures. The other cohorts are not playing that game:
- Large businesses and multinationals market hundreds of products against thousands of search terms, with advertising budgets and whole teams running it. Their apex domain’s technical signals say almost nothing about how they actually win search.
- Education runs search as part of a seasonal enrolment go-to-market — often spread across faculty sites and separately branded campaigns rather than the main domain we measure, and timed to when enrolments happen.
- Government is the only game in town. It does not need to win a search placement contest; its visibility work is content quality and alignment with policy, not competing for position.
There is no honest like-for-like in any of that, so rather than publish a comparison that would not mean anything, we simply do not capture visibility data for the other cohorts.
Commentary
The numbers above read like a contradiction — the same 150 businesses that score an A+ on visibility score an F on security. It isn’t a contradiction; it’s a default. Website builders, CMS platforms and agencies handle the SEO basics automatically, so a small business gets titles, sitemaps and mobile rendering without ever asking for them. There is no equivalent default for security headers, DMARC enforcement or DNS hardening — those happen only when someone decides they should, and the F says almost nobody is deciding.
The DMARC gap is the clearest example. Publishing a DMARC record is typically a one-line DNS change a provider suggests; enforcing it takes a deliberate decision to move from monitoring to quarantine or reject. 83% published, 43% enforcing means the intent is there — the follow-through isn’t. Our larger cohorts show enforcement above 80%, so this is a discipline gap, not a capability one.
Not every sampled domain could be scored, and we publish that rather than hide it. Nine of the 150 were excluded from security scoring because their apex domain permanently redirects to a different domain — typical of mergers, brand consolidation and migrated sites. Five were excluded from visibility because they were unreachable to a plain page fetch; several of those are demonstrably live businesses, so the most plausible explanation is deliberate bot-defence blocking automated testing — a choice, not an outage. Exclusion is always decided on these objective criteria before any score is read: a live site that scores an F is data, never an exclusion.
Everything in this edition is measured from the public surface only — DNS lookups, a normal page fetch, and public scanning endpoints. No intrusive tooling, no authenticated access, nothing a regular visitor couldn’t see. Sites that block that surface simply appear above as unscorable, and that is reported honestly too.
Methodology
Every cohort baseline is produced by the same methodology: quarterly cadence, a deterministic seeded sample drawn from a validated pool, and scan failures excluded before scoring — never on score. Read the full methodology on the research overview.
Previous editions
This baseline refreshes quarterly, and this page always carries the latest edition. As editions are superseded, their headline tables will be archived here so that any older citation can be checked against the edition it was drawn from.