Blog
Contact
Sign in
Scan complete
scan_id: 29dfa986…
D
67/100
onet.pl
No changes since last scan
1 critical issue needs immediate attention.
6/6
checks
19
passed
finished
Scan timestamps
Created
Jul 5, 2026, 8:21 AM
Started
Jul 5, 2026, 8:22 AM
Finished
Jul 5, 2026, 8:22 AM
Updated
Jul 5, 2026, 8:22 AM
Export PDF
Re-scan
Findings by severity
25 results
1
Critical
1
High
3
Medium
1
Low
19
Pass
Report coverage
100%
Full coverage - every planned check was evaluated.
8 skipped
All
33
Critical
1
High
1
Medium
3
Low
1
Pass
19
Skipped
8
Email Security
100%
5/5
SPF Record
Learn how it works
Info
7/7 pass
SPF Record
SPF record is published
The domain publishes exactly one SPF TXT record.
Pass
SPF Record
SPF syntax is valid
The SPF record is syntactically valid.
Pass
SPF Record
SPF policy uses strict fail mode
The SPF policy explicitly rejects unauthorized senders with -all.
Pass
SPF Record
SPF DNS lookup limit is not exceeded
The SPF policy stays within the DNS lookup limit.
Pass
SPF Record
SPF delegated policies are valid
All include and redirect targets resolve to valid SPF policies.
Pass
SPF Record
SPF record avoids deprecated mechanisms
The SPF policy does not use discouraged SPF mechanisms.
Pass
SPF Record
SPF authorization scope is constrained
The SPF policy does not authorize obviously overbroad IP ranges.
Pass
DMARC Policy
Learn how it works
Info
4/7 pass
DMARC Policy
DMARC record is published
The domain publishes exactly one DMARC TXT record.
Pass
DMARC Policy
DMARC syntax is valid
The DMARC record is syntactically valid.
Pass
DMARC Policy
DMARC policy quarantines unauthenticated mail
The DMARC policy asks receivers to treat failing mail as suspicious, but does not request full rejection.
Medium
DMARC Policy
DMARC subdomain policy uses quarantine
Subdomains are protected by quarantine, but failing mail is not explicitly rejected.
Medium
DMARC Policy
DMARC policy applies to all failing mail
The DMARC policy is applied to 100% of failing messages.
Pass
DMARC Policy
DMARC aggregate reporting is configured
The DMARC record contains a valid aggregate reporting destination.
Pass
DMARC Policy
DMARC alignment is relaxed
The DMARC record allows relaxed identifier alignment for DKIM or SPF.
Low
MTA-STS Policy
Learn how it works
Info
4/5 pass
MTA-STS Policy
MTA-STS DNS record is valid
The domain publishes exactly one valid MTA-STS TXT record with a correct version and policy ID.
Pass
MTA-STS Policy
MTA-STS policy file is accessible
The MTA-STS policy file is served over HTTPS with a valid certificate at the required URL.
Pass
MTA-STS Policy
MTA-STS policy syntax is valid
The MTA-STS policy file contains all required fields with valid values.
Pass
MTA-STS Policy
MTA-STS policy does not enforce TLS
The MTA-STS policy is not in enforce mode and does not protect against SMTP downgrade attacks.
High
MTA-STS Policy
MTA-STS policy covers all MX hosts
Every MX host of the domain is covered by an mx pattern in the MTA-STS policy.
Pass
TLS-RPT Record
Learn how it works
Info
3/3 pass
TLS-RPT Record
TLS-RPT record is published
The domain publishes exactly one TLS-RPT TXT record.
Pass
TLS-RPT Record
TLS-RPT syntax is valid
The TLS-RPT record contains all required fields with valid syntax.
Pass
TLS-RPT Record
TLS-RPT reporting destination is configured
The TLS-RPT record contains at least one valid reporting URI with a supported scheme.
Pass
DANE SMTP
Learn how it works
Info
1/5 pass
DANE SMTP
MX hosts discovered
The domain has at least one MX host configured.
Pass
DANE SMTP
No MX host TLSA zone is protected by DNSSEC
None of the MX hosts have DNSSEC on their TLSA lookup zones. DANE SMTP cannot function without DNSSEC, as sending servers will ignore TLSA records from unsigned zones.
Critical
DANE SMTP
TLSA coverage was not evaluated
TLSA coverage evaluation was skipped because no MX hosts were discovered or DNSSEC is not available.
No impact on score or coverage
Skipped
DANE SMTP
TLSA parameter quality was not evaluated
TLSA parameter evaluation was skipped because no usable TLSA records were found.
No impact on score or coverage
Skipped
DANE SMTP
Certificate match was not evaluated
Certificate verification was skipped because no usable TLSA records are published for the MX hosts.
No impact on score or coverage
Skipped
DNS Security
100%
1/1
DNSSEC
Learn how it works
Info
0/6 pass
DNSSEC
DNSSEC is not enabled
The parent zone does not publish a DS record for this domain.
Medium
DNSSEC
DNSKEY publication was not evaluated
DNSKEY evaluation was skipped because the parent zone does not publish a DS record.
No impact on score or coverage
Skipped
DNSSEC
DS and DNSKEY matching was not evaluated
DS/DNSKEY matching was skipped because required DNSSEC records are missing.
No impact on score or coverage
Skipped
DNSSEC
DNSKEY RRset signature was not evaluated
DNSKEY signature validation was skipped because DS/DNSKEY matching did not produce a valid trust path.
No impact on score or coverage
Skipped
DNSSEC
Zone RRset signature was not evaluated
Zone RRset validation was skipped because earlier DNSSEC validation steps failed.
No impact on score or coverage
Skipped
DNSSEC
DNSSEC algorithm policy was not evaluated
Algorithm policy evaluation was skipped because DNSSEC validation prerequisites were not met.
No impact on score or coverage
Skipped
Feedback