Blog
Contact
Sign in
Scan complete
B
80/100
cloudflare.com
2 high-risk issues to fix.
10/10
checks
43
passed
finished
Scan timestamps
Created
Jul 16, 2026, 1:46 AM
Started
Jul 16, 2026, 1:46 AM
Finished
Jul 16, 2026, 1:46 AM
Updated
Jul 16, 2026, 1:46 AM
Export PDF
Re-scan
Findings by severity
47 results
0
Critical
2
High
1
Medium
1
Low
43
Pass
Report coverage
100%
Full coverage - every planned check was evaluated.
6 skipped
All
53
High
2
Medium
1
Low
1
Pass
43
Skipped
6
Email
100%
Sender Authentication (SPF)
Learn how it works
Info
7/7 pass
Sender Authentication (SPF)
SPF record is published
The domain publishes exactly one SPF TXT record.
Pass
Sender Authentication (SPF)
SPF syntax is valid
The SPF record is syntactically valid.
Pass
Sender Authentication (SPF)
SPF policy uses strict fail mode
The SPF policy explicitly rejects unauthorized senders with -all.
Pass
Sender Authentication (SPF)
SPF DNS lookup limit is not exceeded
The SPF policy stays within the DNS lookup limit.
Pass
Sender Authentication (SPF)
SPF delegated policies are valid
All include and redirect targets resolve to valid SPF policies.
Pass
Sender Authentication (SPF)
SPF record avoids deprecated mechanisms
The SPF policy does not use discouraged SPF mechanisms.
Pass
Sender Authentication (SPF)
SPF authorization scope is constrained
The SPF policy does not authorize obviously overbroad IP ranges.
Pass
Domain Alignment (DMARC)
Learn how it works
Info
6/7 pass
Domain Alignment (DMARC)
DMARC record is published
The domain publishes exactly one DMARC TXT record.
Pass
Domain Alignment (DMARC)
DMARC syntax is valid
The DMARC record is syntactically valid.
Pass
Domain Alignment (DMARC)
DMARC policy rejects unauthenticated mail
The DMARC policy requests rejection of mail that fails DMARC validation.
Pass
Domain Alignment (DMARC)
DMARC subdomain policy rejects unauthenticated mail
Subdomains are protected by an effective reject policy.
Pass
Domain Alignment (DMARC)
DMARC policy applies to all failing mail
The DMARC policy is applied to 100% of failing messages.
Pass
Domain Alignment (DMARC)
DMARC aggregate reporting is configured
The DMARC record contains a valid aggregate reporting destination.
Pass
Domain Alignment (DMARC)
DMARC alignment is relaxed
The DMARC record allows relaxed identifier alignment for DKIM or SPF.
Low
Transport Encryption (SMTP TLS)
Learn how it works
Info
5/5 pass
Transport Encryption (SMTP TLS)
MX hosts discovered
The domain has at least one MX host configured.
Pass
Transport Encryption (SMTP TLS)
STARTTLS is available on all MX hosts
All MX hosts advertise and accept STARTTLS and present a valid SMTP session.
Pass
Transport Encryption (SMTP TLS)
All MX hosts negotiate TLS 1.3
All MX hosts negotiate TLS 1.3, the current recommended protocol version.
Pass
Transport Encryption (SMTP TLS)
MX host certificates are valid
All MX hosts present valid, trusted, name-matched certificates with adequate key strength.
Pass
Transport Encryption (SMTP TLS)
All MX hosts negotiate AEAD cipher suites with forward secrecy
All MX hosts negotiate modern AEAD cipher suites (GCM or CHACHA20-POLY1305) with ECDHE key exchange or TLS 1.3, providing both forward secrecy and authenticated encryption.
Pass
Certificate Binding (DANE)
Learn how it works
Info
5/5 pass
Certificate Binding (DANE)
Inbound mail routing is defined
The domain publishes MX records, or a null MX record correctly declaring that it does not accept inbound mail.
Pass
Certificate Binding (DANE)
DNSSEC covers all TLSA lookup zones
All MX hosts have their TLSA lookup zones protected by DNSSEC. Sending servers can trust the TLSA records.
Pass
Certificate Binding (DANE)
All MX hosts have TLSA records
Every MX host has at least one usable DANE TLSA record published. Sending servers that support DANE can authenticate all inbound mail paths.
Pass
Certificate Binding (DANE)
DANE TLSA parameters are recommended
All TLSA records use recommended certificate usage, selector, and matching type parameters suitable for SMTP DANE.
Pass
Certificate Binding (DANE)
MX certificates match TLSA records
The TLS certificates presented by all MX hosts on port 25 match their published TLSA records. DANE end-to-end verification passed.
Pass
Mail Servers (MX)
Learn how it works
Info
3/3 pass
Mail Servers (MX)
MX records are published
The domain publishes at least one MX record with a hostname.
Pass
Mail Servers (MX)
MX hosts are structurally valid
All MX records point to valid hostnames that are not CNAME aliases or IP address literals.
Pass
Mail Servers (MX)
All MX hosts resolve to public addresses
Every MX hostname resolves only to publicly routable IP addresses, with no reserved or unresolved addresses.
Pass
Transport Policy (MTA-STS)
Learn how it works
Info
1/6 pass
Transport Policy (MTA-STS)
Inbound mail routing is defined
The domain publishes MX records, or a null MX record correctly declaring that it does not accept inbound mail.
Pass
Transport Policy (MTA-STS)
MTA-STS DNS record is missing
The domain does not publish an MTA-STS TXT record, so sending servers cannot discover or enforce an MTA-STS policy.
High
Transport Policy (MTA-STS)
MTA-STS policy fetch was not evaluated
Policy fetch was skipped because the domain does not have a valid MTA-STS DNS record.
No impact on score or coverage
Skipped
Transport Policy (MTA-STS)
MTA-STS policy syntax was not evaluated
Policy syntax evaluation was skipped because the policy file could not be fetched.
No impact on score or coverage
Skipped
Transport Policy (MTA-STS)
MTA-STS mode was not evaluated
Mode evaluation was skipped because the policy file is not available or has invalid syntax.
No impact on score or coverage
Skipped
Transport Policy (MTA-STS)
MTA-STS MX coverage was not evaluated
MX coverage evaluation was skipped because the policy file is not available, has invalid syntax, or the domain does not accept mail.
No impact on score or coverage
Skipped
TLS Reporting (TLS-RPT)
Learn how it works
Info
1/4 pass
TLS Reporting (TLS-RPT)
Inbound mail routing is defined
The domain publishes MX records, or a null MX record correctly declaring that it does not accept inbound mail.
Pass
TLS Reporting (TLS-RPT)
No TLS-RPT record found
The domain does not publish a TLS-RPT record. Sending servers cannot report TLS errors to this domain.
High
TLS Reporting (TLS-RPT)
TLS-RPT syntax was not evaluated
Syntax evaluation was skipped because the domain does not have exactly one TLS-RPT record.
No impact on score or coverage
Skipped
TLS Reporting (TLS-RPT)
TLS-RPT rua quality was not evaluated
Reporting URI evaluation was skipped because the domain does not have a syntactically valid TLS-RPT record.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
Learn how it works
Info
6/6 pass
Brand Indicators (BIMI)
BIMI record is published
The domain publishes exactly one BIMI TXT record. Its tag-level correctness is evaluated by the syntax check.
Pass
Brand Indicators (BIMI)
BIMI record syntax is valid
The BIMI record is syntactically correct with a valid logo location.
Pass
Brand Indicators (BIMI)
DMARC enforcement is sufficient for BIMI
The domain has an enforcing DMARC policy (reject at any percentage, or quarantine at 100%), meeting the BIMI prerequisite.
Pass
Brand Indicators (BIMI)
BIMI logo is accessible
The BIMI logo SVG is accessible via HTTPS and within the required size limit.
Pass
Brand Indicators (BIMI)
BIMI logo passes SVG Tiny P/S structural checks
The BIMI logo passes SecRift's SVG Tiny Portable/Secure structural checks (profile attributes present, no forbidden elements or external references).
Pass
Brand Indicators (BIMI)
BIMI certificate passes X.509 validation
The VMC/CMC certificate was fetched and passed X.509 validation — trusted chain, valid dates, BIMI key usage, and matching domain. The embedded mark image is not compared to the published logo in this check.
Pass
DNS
100%
DNS Integrity (DNSSEC)
Learn how it works
Info
6/6 pass
DNS Integrity (DNSSEC)
DNSSEC DS record is published
The parent zone publishes a DS record for this domain.
Pass
DNS Integrity (DNSSEC)
DNSKEY records are published
The child zone publishes DNSKEY records required for DNSSEC validation.
Pass
DNS Integrity (DNSSEC)
DS records match DNSKEY records
At least one DS record matches a DNSKEY record in the child zone.
Pass
DNS Integrity (DNSSEC)
DNSKEY RRset signature is valid
The DNSKEY RRset is signed and its signature validates correctly.
Pass
DNS Integrity (DNSSEC)
Zone RRset signature is valid
The zone SOA RRset is signed and its signature validates correctly.
Pass
DNS Integrity (DNSSEC)
DNSSEC algorithms are acceptable
The DNSSEC algorithms and DS digest types are accepted by the validation policy.
Pass
Web
100%
Disclosure Policy (security.txt)
Learn how it works
Info
3/4 pass
Disclosure Policy (security.txt)
security.txt is accessible at the canonical location
The domain serves a security.txt file at /.well-known/security.txt over HTTPS with the correct Content-Type.
Pass
Disclosure Policy (security.txt)
Contact field is valid
The security.txt file contains at least one Contact field with a valid URI.
Pass
Disclosure Policy (security.txt)
Expires field is missing, invalid, or expired
The security.txt file does not contain exactly one valid, in-date Expires field with an explicit timezone. The field is either absent, present more than once, not a valid date-time with a timezone offset, or its date is in the past. An expired file should not be used by security researchers.
Medium
Disclosure Policy (security.txt)
Canonical field is valid
The Canonical field is either absent (which is acceptable) or correctly lists the URL from which this file was retrieved.
Pass
Feedback