What’s the most common domain security mistake you keep seeing?

Lately I keep seeing the same issues over and over during security reviews:

• weak or missing DMARC policies
• broken SPF records
• missing DNSSEC
• expired SSL certificates
• missing security headers
• critical vulnerabilities that are often surprisingly easy to fix

The scary part is that many companies don’t even realize these issues exist until deliverability, trust or security problems appear.

Curious what misconfigurations or domain security problems others here keep running into most often.