Blog
Contact
Sign in
Scan complete
D
63/100
inbox.eu.org
1 critical issue needs immediate attention.
16/16
checks
45
passed
finished
Scan timestamps
Created
Jul 18, 2026, 6:12 AM
Started
Jul 18, 2026, 6:12 AM
Finished
Jul 18, 2026, 6:12 AM
Updated
Jul 18, 2026, 6:12 AM
Export PDF
Re-scan
Findings by severity
62 results
1
Critical
10
High
3
Medium
3
Low
45
Pass
Report coverage
98.52%
33 skipped - these limit completeness.
33 skipped
All
95
Critical
1
High
10
Medium
3
Low
3
Pass
45
Skipped
33
Email
96%
Domain Alignment (DMARC)
Learn how it works
Info
0/7 pass
Domain Alignment (DMARC)
No DMARC record found
The domain does not publish a DMARC policy.
High
Transport Encryption (SMTP TLS)
Learn how it works
Info
4/5 pass
Transport Encryption (SMTP TLS)
Some MX host certificates are expired or have name mismatches
At least one MX host presents an expired certificate or a certificate whose name does not match the MX hostname. Senders enforcing MTA-STS (RFC 8461) require a name-matched, time-valid certificate and will refuse delivery to these hosts.
High
Certificate Binding (DANE)
Learn how it works
Info
2/5 pass
Certificate Binding (DANE)
No usable TLSA records found for MX hosts
Either no MX hosts have TLSA records, or all published records use certificate usage types (PKIX-TA/PKIX-EE) that are not usable for SMTP DANE per RFC 7672. DANE does not protect inbound mail delivery.
Critical
Transport Policy (MTA-STS)
Learn how it works
Info
1/6 pass
Transport Policy (MTA-STS)
MTA-STS DNS record is missing
The domain does not publish an MTA-STS TXT record, so sending servers cannot discover or enforce an MTA-STS policy.
High
TLS Reporting (TLS-RPT)
Learn how it works
Info
1/4 pass
TLS Reporting (TLS-RPT)
No TLS-RPT record found
The domain does not publish a TLS-RPT record. Sending servers cannot report TLS errors to this domain.
High
DNS
100%
DNS Integrity (DNSSEC)
Learn how it works
Info
0/7 pass
DNS Integrity (DNSSEC)
DNSSEC is misconfigured (broken chain of trust)
The domain publishes DNSKEY records but the parent zone has no DS record, so the chain of trust is broken and validators treat the zone as insecure.
High
DNS Health (Delegation & Exposure)
Learn how it works
Info
7/8 pass
DNS Health (Delegation & Exposure)
SOA serial does not use the recommended format
The SOA record is otherwise valid, but the serial number does not follow the recommended YYYYMMDDnn date format.
Low
CAA and Certificate Issuance Surface
Learn how it works
Info
1/6 pass
CAA and Certificate Issuance Surface
No CAA record is published
The domain does not publish a CAA record, so any publicly trusted certificate authority may issue certificates for it after standard validation.
Low
TLS
100%
TLS Configuration
Learn how it works
Info
5/6 pass
TLS Configuration
Weak elliptic curve accepted for key exchange
The server negotiates an elliptic curve below 256 bits for at least one ECDHE cipher suite. Weak curves reduce the effective security margin of the key exchange well below modern standards.
High
Web
100%
Disclosure Policy (security.txt)
Learn how it works
Info
0/4 pass
Disclosure Policy (security.txt)
security.txt is not present or not usable
The domain does not publish a usable security.txt file. Either both /.well-known/security.txt and /security.txt returned no file (404/401/403/410), or the location responded with HTTP 200 but non-text/plain content (typically an application page) or a body that is not valid UTF-8.
Medium
HTTP Security Headers
Learn how it works
Info
0/7 pass
HTTP Security Headers
HSTS is not enforced
The site does not send a usable Strict-Transport-Security header, so browsers do not automatically upgrade future requests to HTTPS.
High
HTTP Security Headers
Content-Security-Policy is not enforced
The site does not send an enforced Content-Security-Policy header, leaving no restriction on script execution, framing, or resource loading beyond what other headers provide.
High
HTTP Security Headers
Clickjacking protection is missing
The site does not restrict framing through CSP frame-ancestors or a usable X-Frame-Options value, so it can be embedded in a frame on any origin.
High
HTTP Security Headers
MIME sniffing is not disabled
The site does not send X-Content-Type-Options: nosniff, so browsers may MIME-sniff a response and interpret it as a different, potentially executable content type.
High
HTTP Security Headers
Referrer-Policy is not declared
The site does not send a Referrer-Policy header. Modern browsers default to a reasonably safe behavior, but the site does not explicitly guarantee it.
Medium
HTTP Security Headers
Permissions-Policy is missing or ineffective
The site either does not send a Permissions-Policy header, or the header only lists directives with a wildcard allowlist that does not restrict anything.
Medium
HTTP Security Headers
Server or framework version is exposed
The response discloses a specific server or framework version via the Server or X-Powered-By header, which can help an attacker match known vulnerabilities to the exact version.
Low
Feedback