Blog
Contact
Sign in
Scan complete
A+
99/100
secrift.com
Regressed · −1
Compare
Solid posture, with a few things to improve.
10/10
checks
46
passed
finished
Scan timestamps
Created
Jul 7, 2026, 6:32 AM
Started
Jul 7, 2026, 6:32 AM
Finished
Jul 7, 2026, 6:32 AM
Updated
Jul 7, 2026, 6:32 AM
Export PDF
Re-scan
Findings by severity
47 results
0
Critical
0
High
0
Medium
1
Low
46
Pass
Report coverage
97%
6 skipped - these limit completeness.
6 skipped
All
53
Low
1
Pass
46
Skipped
6
Email
96%
Sender Authentication (SPF)
Learn how it works
Info
7/7 pass
Sender Authentication (SPF)
SPF record is published
The domain publishes exactly one SPF TXT record.
Pass
Sender Authentication (SPF)
SPF syntax is valid
The SPF record is syntactically valid.
Pass
Sender Authentication (SPF)
SPF policy uses strict fail mode
The SPF policy explicitly rejects unauthorized senders with -all.
Pass
Sender Authentication (SPF)
SPF DNS lookup limit is not exceeded
The SPF policy stays within the DNS lookup limit.
Pass
Sender Authentication (SPF)
SPF delegated policies are valid
All include and redirect targets resolve to valid SPF policies.
Pass
Sender Authentication (SPF)
SPF record avoids deprecated mechanisms
The SPF policy does not use discouraged SPF mechanisms.
Pass
Sender Authentication (SPF)
SPF authorization scope is constrained
The SPF policy does not authorize obviously overbroad IP ranges.
Pass
Domain Alignment (DMARC)
Learn how it works
Info
7/7 pass
Domain Alignment (DMARC)
DMARC record is published
The domain publishes exactly one DMARC TXT record.
Pass
Domain Alignment (DMARC)
DMARC syntax is valid
The DMARC record is syntactically valid.
Pass
Domain Alignment (DMARC)
DMARC policy rejects unauthenticated mail
The DMARC policy requests rejection of mail that fails DMARC validation.
Pass
Domain Alignment (DMARC)
DMARC subdomain policy rejects unauthenticated mail
Subdomains are protected by an effective reject policy.
Pass
Domain Alignment (DMARC)
DMARC policy applies to all failing mail
The DMARC policy is applied to 100% of failing messages.
Pass
Domain Alignment (DMARC)
DMARC aggregate reporting is configured
The DMARC record contains a valid aggregate reporting destination.
Pass
Domain Alignment (DMARC)
DMARC alignment is strict
The DMARC record requires strict DKIM and SPF alignment.
Pass
Transport Encryption (SMTP TLS)
Learn how it works
Info
4/5 pass
Transport Encryption (SMTP TLS)
MX hosts discovered
The domain has at least one MX host configured.
Pass
Transport Encryption (SMTP TLS)
STARTTLS is available on all MX hosts
All MX hosts advertise and accept STARTTLS and present a valid SMTP session.
Pass
Transport Encryption (SMTP TLS)
Some MX hosts negotiate TLS 1.2 instead of TLS 1.3
All MX hosts meet the minimum TLS 1.2 requirement, but at least one does not support TLS 1.3.
Low
Transport Encryption (SMTP TLS)
MX host certificates are valid
All MX hosts present valid, trusted, name-matched certificates with adequate key strength.
Pass
Transport Encryption (SMTP TLS)
All MX hosts negotiate AEAD cipher suites with forward secrecy
All MX hosts negotiate modern AEAD cipher suites (GCM or CHACHA20-POLY1305) with ECDHE key exchange or TLS 1.3, providing both forward secrecy and authenticated encryption.
Pass
Certificate Binding (DANE)
Learn how it works
Info
5/5 pass
Certificate Binding (DANE)
Inbound mail routing is defined
The domain publishes MX records, or a null MX record correctly declaring that it does not accept inbound mail.
Pass
Certificate Binding (DANE)
DNSSEC covers all TLSA lookup zones
All MX hosts have their TLSA lookup zones protected by DNSSEC. Sending servers can trust the TLSA records.
Pass
Certificate Binding (DANE)
All MX hosts have TLSA records
Every MX host has at least one usable DANE TLSA record published. Sending servers that support DANE can authenticate all inbound mail paths.
Pass
Certificate Binding (DANE)
DANE TLSA parameters are recommended
All TLSA records use recommended certificate usage, selector, and matching type parameters suitable for SMTP DANE.
Pass
Certificate Binding (DANE)
MX certificates match TLSA records
The TLS certificates presented by all MX hosts on port 25 match their published TLSA records. DANE end-to-end verification passed.
Pass
Mail Servers (MX)
Learn how it works
Info
3/3 pass
Mail Servers (MX)
MX records are published
The domain publishes at least one MX record with a hostname.
Pass
Mail Servers (MX)
MX hosts are structurally valid
All MX records point to valid hostnames that are not CNAME aliases or IP address literals.
Pass
Mail Servers (MX)
All MX hosts resolve to public addresses
Every MX hostname resolves only to publicly routable IP addresses, with no reserved or unresolved addresses.
Pass
Transport Policy (MTA-STS)
Learn how it works
Info
6/6 pass
Transport Policy (MTA-STS)
Inbound mail routing is defined
The domain publishes MX records, or a null MX record correctly declaring that it does not accept inbound mail.
Pass
Transport Policy (MTA-STS)
MTA-STS DNS record is valid
The domain publishes exactly one valid MTA-STS TXT record with a correct version and policy ID.
Pass
Transport Policy (MTA-STS)
MTA-STS policy file is accessible
The MTA-STS policy file is served over HTTPS with a valid certificate at the required URL.
Pass
Transport Policy (MTA-STS)
MTA-STS policy syntax is valid
The MTA-STS policy file contains all required fields with valid values.
Pass
Transport Policy (MTA-STS)
MTA-STS policy enforces TLS
The MTA-STS policy is in enforce mode, so sending servers that support MTA-STS will reject delivery to MX hosts without a valid TLS certificate.
Pass
Transport Policy (MTA-STS)
MTA-STS policy covers all MX hosts
Every MX host of the domain is covered by an mx pattern in the MTA-STS policy.
Pass
TLS Reporting (TLS-RPT)
Learn how it works
Info
4/4 pass
TLS Reporting (TLS-RPT)
Inbound mail routing is defined
The domain publishes MX records, or a null MX record correctly declaring that it does not accept inbound mail.
Pass
TLS Reporting (TLS-RPT)
TLS-RPT record is published
The domain publishes exactly one TLS-RPT TXT record.
Pass
TLS Reporting (TLS-RPT)
TLS-RPT syntax is valid
The TLS-RPT record contains all required fields with valid syntax.
Pass
TLS Reporting (TLS-RPT)
TLS-RPT reporting destination is configured
The TLS-RPT record contains at least one valid reporting URI with a supported scheme.
Pass
Brand Indicators (BIMI)
Learn how it works
Info
0/6 pass
Brand Indicators (BIMI)
BIMI record was not evaluated
The domain does not publish a BIMI record or has explicitly refused BIMI participation. BIMI is optional and no action is required.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI syntax was not evaluated
Syntax evaluation was skipped because the domain does not publish a single BIMI record.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
DMARC prerequisite was not evaluated
The DMARC prerequisite check was skipped because the domain does not publish a single valid BIMI record.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI logo accessibility was not evaluated
Logo accessibility check was skipped because the domain does not have a valid BIMI record with a logo URL.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI logo format was not evaluated
Logo format check was skipped because the logo could not be retrieved.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI certificate was not evaluated
Certificate validation was skipped because the BIMI record does not include a VMC/CMC certificate URL. BIMI without a certificate is accepted by some providers but not Gmail or Apple Mail.
No impact on score or coverage
Skipped
DNS
100%
DNS Integrity (DNSSEC)
Learn how it works
Info
6/6 pass
DNS Integrity (DNSSEC)
DNSSEC DS record is published
The parent zone publishes a DS record for this domain.
Pass
DNS Integrity (DNSSEC)
DNSKEY records are published
The child zone publishes DNSKEY records required for DNSSEC validation.
Pass
DNS Integrity (DNSSEC)
DS records match DNSKEY records
At least one DS record matches a DNSKEY record in the child zone.
Pass
DNS Integrity (DNSSEC)
DNSKEY RRset signature is valid
The DNSKEY RRset is signed and its signature validates correctly.
Pass
DNS Integrity (DNSSEC)
Zone RRset signature is valid
The zone SOA RRset is signed and its signature validates correctly.
Pass
DNS Integrity (DNSSEC)
DNSSEC algorithms are acceptable
The DNSSEC algorithms and DS digest types are accepted by the validation policy.
Pass
Web
100%
Disclosure Policy (security.txt)
Learn how it works
Info
4/4 pass
Disclosure Policy (security.txt)
security.txt is accessible at the canonical location
The domain serves a security.txt file at /.well-known/security.txt over HTTPS with the correct Content-Type.
Pass
Disclosure Policy (security.txt)
Contact field is valid
The security.txt file contains at least one Contact field with a valid URI.
Pass
Disclosure Policy (security.txt)
Expires field is valid
The security.txt file contains a valid Expires date that is in the future and within the recommended one-year window.
Pass
Disclosure Policy (security.txt)
Canonical field is valid
The Canonical field is either absent (which is acceptable) or correctly lists the URL from which this file was retrieved.
Pass
Feedback