Blog
Contact
Sign in
Scan complete
scan_id: 18df76a6…
A+
100/100
secrift.com
No changes since last scan
Strong. No significant issues found.
6/6
checks
33
passed
finished
Scan timestamps
Created
Jul 5, 2026, 8:26 AM
Started
Jul 5, 2026, 8:26 AM
Finished
Jul 5, 2026, 8:26 AM
Updated
Jul 5, 2026, 8:26 AM
Export PDF
Re-scan
Findings by severity
33 results
0
Critical
0
High
0
Medium
0
Low
33
Pass
Report coverage
100%
Full coverage - every planned check was evaluated.
All
33
Pass
33
Email Security
100%
5/5
SPF Record
Learn how it works
Info
7/7 pass
SPF Record
SPF record is published
The domain publishes exactly one SPF TXT record.
Pass
SPF Record
SPF syntax is valid
The SPF record is syntactically valid.
Pass
SPF Record
SPF policy uses strict fail mode
The SPF policy explicitly rejects unauthorized senders with -all.
Pass
SPF Record
SPF DNS lookup limit is not exceeded
The SPF policy stays within the DNS lookup limit.
Pass
SPF Record
SPF delegated policies are valid
All include and redirect targets resolve to valid SPF policies.
Pass
SPF Record
SPF record avoids deprecated mechanisms
The SPF policy does not use discouraged SPF mechanisms.
Pass
SPF Record
SPF authorization scope is constrained
The SPF policy does not authorize obviously overbroad IP ranges.
Pass
DMARC Policy
Learn how it works
Info
7/7 pass
DMARC Policy
DMARC record is published
The domain publishes exactly one DMARC TXT record.
Pass
DMARC Policy
DMARC syntax is valid
The DMARC record is syntactically valid.
Pass
DMARC Policy
DMARC policy rejects unauthenticated mail
The DMARC policy requests rejection of mail that fails DMARC validation.
Pass
DMARC Policy
DMARC subdomain policy rejects unauthenticated mail
Subdomains are protected by an effective reject policy.
Pass
DMARC Policy
DMARC policy applies to all failing mail
The DMARC policy is applied to 100% of failing messages.
Pass
DMARC Policy
DMARC aggregate reporting is configured
The DMARC record contains a valid aggregate reporting destination.
Pass
DMARC Policy
DMARC alignment is strict
The DMARC record requires strict DKIM and SPF alignment.
Pass
MTA-STS Policy
Learn how it works
Info
5/5 pass
MTA-STS Policy
MTA-STS DNS record is valid
The domain publishes exactly one valid MTA-STS TXT record with a correct version and policy ID.
Pass
MTA-STS Policy
MTA-STS policy file is accessible
The MTA-STS policy file is served over HTTPS with a valid certificate at the required URL.
Pass
MTA-STS Policy
MTA-STS policy syntax is valid
The MTA-STS policy file contains all required fields with valid values.
Pass
MTA-STS Policy
MTA-STS policy enforces TLS
The MTA-STS policy is in enforce mode, so sending servers that support MTA-STS will reject delivery to MX hosts without a valid TLS certificate.
Pass
MTA-STS Policy
MTA-STS policy covers all MX hosts
Every MX host of the domain is covered by an mx pattern in the MTA-STS policy.
Pass
TLS-RPT Record
Learn how it works
Info
3/3 pass
TLS-RPT Record
TLS-RPT record is published
The domain publishes exactly one TLS-RPT TXT record.
Pass
TLS-RPT Record
TLS-RPT syntax is valid
The TLS-RPT record contains all required fields with valid syntax.
Pass
TLS-RPT Record
TLS-RPT reporting destination is configured
The TLS-RPT record contains at least one valid reporting URI with a supported scheme.
Pass
DANE SMTP
Learn how it works
Info
5/5 pass
DANE SMTP
MX hosts discovered
The domain has at least one MX host configured.
Pass
DANE SMTP
DNSSEC covers all TLSA lookup zones
All MX hosts have their TLSA lookup zones protected by DNSSEC. Sending servers can trust the TLSA records.
Pass
DANE SMTP
All MX hosts have TLSA records
Every MX host has at least one usable DANE TLSA record published. Sending servers that support DANE can authenticate all inbound mail paths.
Pass
DANE SMTP
DANE TLSA parameters are recommended
All TLSA records use recommended certificate usage, selector, and matching type parameters suitable for SMTP DANE.
Pass
DANE SMTP
MX certificates match TLSA records
The TLS certificates presented by all MX hosts on port 25 match their published TLSA records. DANE end-to-end verification passed.
Pass
DNS Security
100%
1/1
DNSSEC
Learn how it works
Info
6/6 pass
DNSSEC
DNSSEC DS record is published
The parent zone publishes a DS record for this domain.
Pass
DNSSEC
DNSKEY records are published
The child zone publishes DNSKEY records required for DNSSEC validation.
Pass
DNSSEC
DS records match DNSKEY records
At least one DS record matches a DNSKEY record in the child zone.
Pass
DNSSEC
DNSKEY RRset signature is valid
The DNSKEY RRset is signed and its signature validates correctly.
Pass
DNSSEC
Zone RRset signature is valid
The zone SOA RRset is signed and its signature validates correctly.
Pass
DNSSEC
DNSSEC algorithms are acceptable
The DNSSEC algorithms and DS digest types are accepted by the validation policy.
Pass
Feedback