Blog
Contact
Sign in
Scan complete
C
74/100
google.com
Changed ยท score unchanged
Compare
1 critical issue needs immediate attention.
16/16
checks
61
passed
finished
Scan timestamps
Created
Jul 17, 2026, 12:16 PM
Started
Jul 17, 2026, 12:16 PM
Finished
Jul 17, 2026, 12:16 PM
Updated
Jul 17, 2026, 12:16 PM
Export PDF
Re-scan
Findings by severity
80 results
1
Critical
5
High
6
Medium
7
Low
61
Pass
Report coverage
98.52%
15 skipped - these limit completeness.
15 skipped
All
95
Critical
1
High
5
Medium
6
Low
7
Pass
61
Skipped
15
Email
96%
Sender Authentication (SPF)
Learn how it works
Info
6/7 pass
Sender Authentication (SPF)
SPF policy does not use strict fail mode
The SPF policy does not fully reject unauthorized senders.
Medium
Domain Alignment (DMARC)
Learn how it works
Info
6/7 pass
Domain Alignment (DMARC)
DMARC alignment is relaxed
The DMARC record allows relaxed identifier alignment for DKIM or SPF.
Low
Certificate Binding (DANE)
Learn how it works
Info
1/5 pass
Certificate Binding (DANE)
No MX host TLSA zone is protected by DNSSEC
None of the MX hosts have DNSSEC on their TLSA lookup zones. DANE SMTP cannot function without DNSSEC, as sending servers will ignore TLSA records from unsigned zones.
Critical
DNS
100%
DNS Integrity (DNSSEC)
Learn how it works
Info
0/7 pass
DNS Integrity (DNSSEC)
DNSSEC is not enabled
The parent zone does not publish a DS record for this domain.
Medium
DNS Health (Delegation & Exposure)
Learn how it works
Info
7/8 pass
DNS Health (Delegation & Exposure)
SOA serial does not use the recommended format
The SOA record is otherwise valid, but the serial number does not follow the recommended YYYYMMDDnn date format.
Low
CAA and Certificate Issuance Surface
Learn how it works
Info
4/6 pass
CAA and Certificate Issuance Surface
Certificate issuance is not pinned
The CAA records authorize a CA but do not restrict issuance to a specific account or validation method.
Low
CAA and Certificate Issuance Surface
No S/MIME issuance policy is published
The domain does not publish an issuemail CAA property, so any CA may issue S/MIME certificates for its email addresses; note that issue and issuewild do not restrict S/MIME issuance.
Low
TLS
100%
TLS Configuration
Learn how it works
Info
1/6 pass
TLS Configuration
Deprecated TLS version accepted (TLS 1.0 / TLS 1.1)
The server accepts TLS 1.0 and/or TLS 1.1, both formally deprecated by RFC 8996. These versions lack support for modern authenticated encryption and are the underlying cause of several named attacks (e.g. BEAST against TLS 1.0 CBC ciphers).
High
TLS Configuration
Legacy cipher suites accepted (3DES / CBC in TLS 1.0)
The server accepts cipher suites weakened by the 64-bit block size of 3DES (SWEET32, CVE-2016-2183) and/or CBC-mode ciphers in TLS 1.0 (contributing factor to BEAST). Exploitation requires specific conditions (e.g. very large data transfers for SWEET32).
Medium
TLS Configuration
Cipher suites without forward secrecy accepted
The server accepts one or more cipher suites using static RSA or static (EC)DH key exchange. If the server's private key is ever compromised, an attacker with recorded traffic can decrypt past sessions negotiated with these cipher suites.
Medium
TLS Configuration
Weak elliptic curve accepted for key exchange
The server negotiates an elliptic curve below 256 bits for at least one ECDHE cipher suite. Weak curves reduce the effective security margin of the key exchange well below modern standards.
High
TLS Configuration
TLS 1.3 early data (0-RTT) enabled
The server accepts 0-RTT early data. Requests sent as early data can be replayed by an attacker without detection unless the application implements its own anti-replay protection. This is safe only for idempotent requests.
Low
Web
100%
Disclosure Policy (security.txt)
Learn how it works
Info
3/4 pass
Disclosure Policy (security.txt)
Expires is set more than one year in the future
The Expires date is valid and in the future, but RFC 9116 recommends keeping the expiry within one year to avoid the file becoming stale.
Low
HTTP Security Headers
Learn how it works
Info
1/7 pass
HTTP Security Headers
HSTS is not enforced
The site does not send a usable Strict-Transport-Security header, so browsers do not automatically upgrade future requests to HTTPS.
High
HTTP Security Headers
Content-Security-Policy is not enforced
The site does not send an enforced Content-Security-Policy header, leaving no restriction on script execution, framing, or resource loading beyond what other headers provide.
High
HTTP Security Headers
MIME sniffing is not disabled
The site does not send X-Content-Type-Options: nosniff, so browsers may MIME-sniff a response and interpret it as a different, potentially executable content type.
High
HTTP Security Headers
Referrer-Policy is not declared
The site does not send a Referrer-Policy header. Modern browsers default to a reasonably safe behavior, but the site does not explicitly guarantee it.
Medium
HTTP Security Headers
Permissions-Policy is missing or ineffective
The site either does not send a Permissions-Policy header, or the header only lists directives with a wildcard allowlist that does not restrict anything.
Medium
HTTP Security Headers
Deprecated security headers are present
The response sends one or more deprecated headers (X-XSS-Protection, Expect-CT, or Public-Key-Pins) that modern browsers ignore or that carry their own operational risk (HPKP).
Low
Feedback