Domain Intelligence Scanner

The scanner performs five parallel checks: DNS security (DNSSEC status, nameserver redundancy, CAA records), email security (SPF, DKIM, DMARC policy analysis), SSL/TLS certificate health (validity, expiry, TLS version, HSTS), website security headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), and DNSSEC chain-of-trust validation via two independent resolvers — Cloudflare 1.1.1.1 and Google Public DNS. Results are scored by category, combined into an overall A–F grade, and presented as an executive summary, prioritised findings, and actionable recommendations.

DNSSEC is not required but is strongly recommended for any domain that matters. Without it, DNS responses can be forged on the network path — silently redirecting your users to a malicious server without any visible warning (DNS cache poisoning). Cloudflare, Amazon Route 53, and Google Cloud DNS all support DNSSEC with a single toggle. The main extra step is publishing the DS record at your registrar, which typically takes 15–30 minutes.

Scores of 90–100 (Grade A) indicate excellent security posture. Scores of 75–89 (Grade B) represent good security with minor improvements available. Scores of 60–74 (Grade C) show fair security with several gaps to address. Scores of 45–59 (Grade D) indicate poor security with significant issues present. Scores below 45 (Grade F) indicate critical deficiencies requiring immediate attention. Most production domains without dedicated security hardening score in the C–D range.

CAA (Certification Authority Authorization) records specify which Certificate Authorities are permitted to issue SSL certificates for your domain. For example, 0 issue "letsencrypt.org" restricts issuance to Let's Encrypt only. Without CAA records, any CA in the world can issue a certificate for your domain — a risk if a CA is compromised or makes an issuance error. They take about 15 minutes to add at your DNS provider and require no changes to your web server or application.

The overall score is a weighted average of four category scores: Email Security (30%), DNS Security (25%), SSL/TLS (25%), and Website Security (20%). Email is weighted highest because domain spoofing via email is one of the most impactful attack vectors for most organisations. Each category score reflects specific controls — DMARC p=reject earns 50 of the 100 email security points; DNSSEC fully signed earns 50 of the 100 DNS security points.

The SSL/TLS check uses a raw TCP socket connection to inspect the certificate at the protocol level. Cloudflare-proxied domains and CDN-fronted hosts block this approach — Cloudflare's runtime cannot open outbound TCP sockets to its own IP ranges by design. When blocked, the scanner confirms HTTPS is reachable and estimates the SSL score from HSTS, but cannot extract certificate details. Use the standalone SSL/TLS Certificate Checker from your browser for full certificate information on these hosts.

SPF (Sender Policy Framework) defines which mail servers are authorised to send email for your domain — a DNS TXT record listing permitted IPs or service includes. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outbound emails so receivers can verify the message was authorised and not modified in transit. DMARC ties them together with a published policy — p=none, p=quarantine, or p=reject — that tells receiving servers what to do with mail failing both checks. All three are needed for full email authentication and anti-spoofing protection.

The scanner runs five parallel checks — DNS records, DNSSEC chain validation, email authentication (SPF/DKIM/DMARC), SSL/TLS certificate inspection, and security headers analysis — all simultaneously. The SSL/TLS check requires a full TLS handshake, which is the slowest individual operation. Because all checks run in parallel, the total time is determined by the slowest single check rather than the sum. Most scans complete in 5–10 seconds.

DMARC tells receiving mail servers what to do with email that fails SPF and DKIM checks. Without DMARC set to p=reject or p=quarantine, attackers can send phishing email appearing to come from your domain and it will be delivered normally. DMARC with p=reject is the only configuration that fully prevents domain spoofing. Even with both SPF and DKIM present, a missing or p=none DMARC record provides zero enforcement — your domain can still be used in business email compromise (BEC) and phishing attacks.

Scan any time you make DNS, email, or hosting changes — and at minimum monthly for production domains. Certificate expiry, new email sending services, DNS provider migrations, and DMARC policy updates can shift your security posture without you noticing. MSPs typically scan client domains before onboarding, after any migration or handoff, and on a quarterly review cycle to catch configuration drift.

Yes — without DMARC set to p=reject or p=quarantine, attackers can send email that appears to come from your domain and it will reach recipients' inboxes. This technique is used in phishing, business email compromise (BEC), and brand impersonation campaigns. SPF and DKIM alone do not prevent this — they provide authentication signals that only DMARC enforces. The scanner flags any domain without a DMARC enforcement policy as high risk regardless of SPF and DKIM configuration.

Yes — the scanner is built with MSP use cases in mind. Run a scan before a prospect meeting to identify quick wins and start a conversation. Use the Executive Summary and Recommendations sections with non-technical stakeholders — the score and grade provide an at-a-glance health indicator, and each recommendation includes impact, difficulty, and estimated effort so you can scope remediation work and set realistic client expectations.

Fix Critical findings immediately — BOGUS DNSSEC and expired SSL certificates can make your domain unreachable. After that, address High findings by effort: DMARC p=reject, SPF, and HSTS are all Easy/15–30 minutes. DNSSEC and Content-Security-Policy take slightly more effort but have high impact. The Recommendations section orders all actions by impact-to-effort ratio so you always know what to prioritise next.

DKIM keys are published at a selector-specific subdomain such as selector1._domainkey.yourdomain.com. There is no standard way to discover all selectors — the scanner probes a list of common names (google, selector1, selector2, default, k1, mail, and others). If your provider uses a non-standard selector, DKIM will show as not found even if signing is active. Check your email provider's documentation for the correct selector name and confirm using the SPF / DKIM / DMARC Validator.

Yes. Many frameworks — CIS Controls, NIST CSF, ISO 27001, and SOC 2 — require technical controls this scanner covers: email authentication (SPF/DKIM/DMARC maps to CIS Control 9), encryption in transit (TLS/HSTS), DNS security (DNSSEC), and web security headers (CSP/XFO). The scanner does not produce a formal compliance report, but its findings map directly to common technical controls and serve as concrete evidence for gap assessments and remediation tracking.