Blog
Contact
Sign in
Scan complete
C
70/100
facebook.com
Improved · D → C · +1
Compare
1 critical issue needs immediate attention.
10/10
checks
34
passed
finished
Scan timestamps
Created
Jul 7, 2026, 7:10 PM
Started
Jul 7, 2026, 7:10 PM
Finished
Jul 7, 2026, 7:10 PM
Updated
Jul 7, 2026, 7:10 PM
Export PDF
Re-scan
Findings by severity
39 results
1
Critical
2
High
1
Medium
1
Low
34
Pass
Report coverage
97%
14 skipped - these limit completeness.
14 skipped
All
53
Critical
1
High
2
Medium
1
Low
1
Pass
34
Skipped
14
Email
96%
Sender Authentication (SPF)
Learn how it works
Info
7/7 pass
Sender Authentication (SPF)
SPF record is published
The domain publishes exactly one SPF TXT record.
Pass
Sender Authentication (SPF)
SPF syntax is valid
The SPF record is syntactically valid.
Pass
Sender Authentication (SPF)
SPF policy uses strict fail mode
The SPF policy explicitly rejects unauthorized senders with -all.
Pass
Sender Authentication (SPF)
SPF DNS lookup limit is not exceeded
The SPF policy stays within the DNS lookup limit.
Pass
Sender Authentication (SPF)
SPF delegated policies are valid
All include and redirect targets resolve to valid SPF policies.
Pass
Sender Authentication (SPF)
SPF record avoids deprecated mechanisms
The SPF policy does not use discouraged SPF mechanisms.
Pass
Sender Authentication (SPF)
SPF authorization scope is constrained
The SPF policy does not authorize obviously overbroad IP ranges.
Pass
Domain Alignment (DMARC)
Learn how it works
Info
5/7 pass
Domain Alignment (DMARC)
DMARC record is published
The domain publishes exactly one DMARC TXT record.
Pass
Domain Alignment (DMARC)
DMARC syntax is valid
The DMARC record is syntactically valid.
Pass
Domain Alignment (DMARC)
DMARC policy rejects unauthenticated mail
The DMARC policy requests rejection of mail that fails DMARC validation.
Pass
Domain Alignment (DMARC)
DMARC subdomain policy rejects unauthenticated mail
Subdomains are protected by an effective reject policy.
Pass
Domain Alignment (DMARC)
DMARC policy applies to all failing mail
The DMARC policy is applied to 100% of failing messages.
Pass
Domain Alignment (DMARC)
DMARC reporting destination is not usable
The DMARC aggregate reporting destination is invalid, unsupported, or not authorized.
High
Domain Alignment (DMARC)
DMARC alignment is relaxed
The DMARC record allows relaxed identifier alignment for DKIM or SPF.
Low
Transport Encryption (SMTP TLS)
Learn how it works
Info
5/5 pass
Transport Encryption (SMTP TLS)
MX hosts discovered
The domain has at least one MX host configured.
Pass
Transport Encryption (SMTP TLS)
STARTTLS is available on all MX hosts
All MX hosts advertise and accept STARTTLS and present a valid SMTP session.
Pass
Transport Encryption (SMTP TLS)
All MX hosts negotiate TLS 1.3
All MX hosts negotiate TLS 1.3, the current recommended protocol version.
Pass
Transport Encryption (SMTP TLS)
MX host certificates are valid
All MX hosts present valid, trusted, name-matched certificates with adequate key strength.
Pass
Transport Encryption (SMTP TLS)
All MX hosts negotiate AEAD cipher suites with forward secrecy
All MX hosts negotiate modern AEAD cipher suites (GCM or CHACHA20-POLY1305) with ECDHE key exchange or TLS 1.3, providing both forward secrecy and authenticated encryption.
Pass
Certificate Binding (DANE)
Learn how it works
Info
1/5 pass
Certificate Binding (DANE)
Inbound mail routing is defined
The domain publishes MX records, or a null MX record correctly declaring that it does not accept inbound mail.
Pass
Certificate Binding (DANE)
No MX host TLSA zone is protected by DNSSEC
None of the MX hosts have DNSSEC on their TLSA lookup zones. DANE SMTP cannot function without DNSSEC, as sending servers will ignore TLSA records from unsigned zones.
Critical
Certificate Binding (DANE)
TLSA coverage was not evaluated
TLSA coverage evaluation was skipped because no MX hosts were discovered or DNSSEC is not available.
No impact on score or coverage
Skipped
Certificate Binding (DANE)
TLSA parameter quality was not evaluated
TLSA parameter evaluation was skipped because no usable TLSA records were found.
No impact on score or coverage
Skipped
Certificate Binding (DANE)
Certificate match was not evaluated
Certificate verification was skipped because no usable TLSA records are published for the MX hosts.
No impact on score or coverage
Skipped
Mail Servers (MX)
Learn how it works
Info
3/3 pass
Mail Servers (MX)
MX records are published
The domain publishes at least one MX record with a hostname.
Pass
Mail Servers (MX)
MX hosts are structurally valid
All MX records point to valid hostnames that are not CNAME aliases or IP address literals.
Pass
Mail Servers (MX)
All MX hosts resolve to public addresses
Every MX hostname resolves only to publicly routable IP addresses, with no reserved or unresolved addresses.
Pass
Transport Policy (MTA-STS)
Learn how it works
Info
5/6 pass
Transport Policy (MTA-STS)
Inbound mail routing is defined
The domain publishes MX records, or a null MX record correctly declaring that it does not accept inbound mail.
Pass
Transport Policy (MTA-STS)
MTA-STS DNS record is valid
The domain publishes exactly one valid MTA-STS TXT record with a correct version and policy ID.
Pass
Transport Policy (MTA-STS)
MTA-STS policy file is accessible
The MTA-STS policy file is served over HTTPS with a valid certificate at the required URL.
Pass
Transport Policy (MTA-STS)
MTA-STS policy syntax is valid
The MTA-STS policy file contains all required fields with valid values.
Pass
Transport Policy (MTA-STS)
MTA-STS policy does not enforce TLS
The MTA-STS policy is not in enforce mode and does not protect against SMTP downgrade attacks.
High
Transport Policy (MTA-STS)
MTA-STS policy covers all MX hosts
Every MX host of the domain is covered by an mx pattern in the MTA-STS policy.
Pass
TLS Reporting (TLS-RPT)
Learn how it works
Info
4/4 pass
TLS Reporting (TLS-RPT)
Inbound mail routing is defined
The domain publishes MX records, or a null MX record correctly declaring that it does not accept inbound mail.
Pass
TLS Reporting (TLS-RPT)
TLS-RPT record is published
The domain publishes exactly one TLS-RPT TXT record.
Pass
TLS Reporting (TLS-RPT)
TLS-RPT syntax is valid
The TLS-RPT record contains all required fields with valid syntax.
Pass
TLS Reporting (TLS-RPT)
TLS-RPT reporting destination is configured
The TLS-RPT record contains at least one valid reporting URI with a supported scheme.
Pass
Brand Indicators (BIMI)
Learn how it works
Info
0/6 pass
Brand Indicators (BIMI)
BIMI record was not evaluated
The domain does not publish a BIMI record or has explicitly refused BIMI participation. BIMI is optional and no action is required.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI syntax was not evaluated
Syntax evaluation was skipped because the domain does not publish a single BIMI record.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
DMARC prerequisite was not evaluated
The DMARC prerequisite check was skipped because the domain does not publish a single valid BIMI record.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI logo accessibility was not evaluated
Logo accessibility check was skipped because the domain does not have a valid BIMI record with a logo URL.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI logo format was not evaluated
Logo format check was skipped because the logo could not be retrieved.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI certificate was not evaluated
Certificate validation was skipped because the BIMI record does not include a VMC/CMC certificate URL. BIMI without a certificate is accepted by some providers but not Gmail or Apple Mail.
No impact on score or coverage
Skipped
DNS
100%
DNS Integrity (DNSSEC)
Learn how it works
Info
0/6 pass
DNS Integrity (DNSSEC)
DNSSEC is not enabled
The parent zone does not publish a DS record for this domain.
Medium
DNS Integrity (DNSSEC)
DNSKEY publication was not evaluated
DNSKEY evaluation was skipped because the parent zone does not publish a DS record.
No impact on score or coverage
Skipped
DNS Integrity (DNSSEC)
DS and DNSKEY matching was not evaluated
DS/DNSKEY matching was skipped because required DNSSEC records are missing.
No impact on score or coverage
Skipped
DNS Integrity (DNSSEC)
DNSKEY RRset signature was not evaluated
DNSKEY signature validation was skipped because DS/DNSKEY matching did not produce a valid trust path.
No impact on score or coverage
Skipped
DNS Integrity (DNSSEC)
Zone RRset signature was not evaluated
Zone RRset validation was skipped because earlier DNSSEC validation steps failed.
No impact on score or coverage
Skipped
DNS Integrity (DNSSEC)
DNSSEC algorithm policy was not evaluated
Algorithm policy evaluation was skipped because DNSSEC validation prerequisites were not met.
No impact on score or coverage
Skipped
Web
100%
Disclosure Policy (security.txt)
Learn how it works
Info
4/4 pass
Disclosure Policy (security.txt)
security.txt is accessible at the canonical location
The domain serves a security.txt file at /.well-known/security.txt over HTTPS with the correct Content-Type.
Pass
Disclosure Policy (security.txt)
Contact field is valid
The security.txt file contains at least one Contact field with a valid URI.
Pass
Disclosure Policy (security.txt)
Expires field is valid
The security.txt file contains a valid Expires date that is in the future and within the recommended one-year window.
Pass
Disclosure Policy (security.txt)
Canonical field is valid
The Canonical field is either absent (which is acceptable) or correctly lists the URL from which this file was retrieved.
Pass
Feedback