Blog
Contact
Sign in
Scan complete
E
52/100
github.com
Improved · F → E · +3
Compare
1 critical issue needs immediate attention.
10/10
checks
26
passed
finished
Scan timestamps
Created
Jul 7, 2026, 6:27 AM
Started
Jul 7, 2026, 6:27 AM
Finished
Jul 7, 2026, 6:28 AM
Updated
Jul 7, 2026, 6:27 AM
Export PDF
Re-scan
Findings by severity
33 results
1
Critical
2
High
3
Medium
1
Low
26
Pass
Report coverage
97%
20 skipped - these limit completeness.
20 skipped
All
53
Critical
1
High
2
Medium
3
Low
1
Pass
26
Skipped
20
Email
96%
Sender Authentication (SPF)
Learn how it works
Info
6/7 pass
Sender Authentication (SPF)
SPF record is published
The domain publishes exactly one SPF TXT record.
Pass
Sender Authentication (SPF)
SPF syntax is valid
The SPF record is syntactically valid.
Pass
Sender Authentication (SPF)
SPF policy does not use strict fail mode
The SPF policy does not fully reject unauthorized senders.
Medium
Sender Authentication (SPF)
SPF DNS lookup limit is not exceeded
The SPF policy stays within the DNS lookup limit.
Pass
Sender Authentication (SPF)
SPF delegated policies are valid
All include and redirect targets resolve to valid SPF policies.
Pass
Sender Authentication (SPF)
SPF record avoids deprecated mechanisms
The SPF policy does not use discouraged SPF mechanisms.
Pass
Sender Authentication (SPF)
SPF authorization scope is constrained
The SPF policy does not authorize obviously overbroad IP ranges.
Pass
Domain Alignment (DMARC)
Learn how it works
Info
5/7 pass
Domain Alignment (DMARC)
DMARC record is published
The domain publishes exactly one DMARC TXT record.
Pass
Domain Alignment (DMARC)
DMARC syntax is valid
The DMARC record is syntactically valid.
Pass
Domain Alignment (DMARC)
DMARC policy quarantines unauthenticated mail
The DMARC policy asks receivers to treat failing mail as suspicious, but does not request full rejection.
Medium
Domain Alignment (DMARC)
DMARC subdomain policy rejects unauthenticated mail
Subdomains are protected by an effective reject policy.
Pass
Domain Alignment (DMARC)
DMARC policy applies to all failing mail
The DMARC policy is applied to 100% of failing messages.
Pass
Domain Alignment (DMARC)
DMARC aggregate reporting is configured
The DMARC record contains a valid aggregate reporting destination.
Pass
Domain Alignment (DMARC)
DMARC alignment is relaxed
The DMARC record allows relaxed identifier alignment for DKIM or SPF.
Low
Transport Encryption (SMTP TLS)
Learn how it works
Info
5/5 pass
Transport Encryption (SMTP TLS)
MX hosts discovered
The domain has at least one MX host configured.
Pass
Transport Encryption (SMTP TLS)
STARTTLS is available on all MX hosts
All MX hosts advertise and accept STARTTLS and present a valid SMTP session.
Pass
Transport Encryption (SMTP TLS)
All MX hosts negotiate TLS 1.3
All MX hosts negotiate TLS 1.3, the current recommended protocol version.
Pass
Transport Encryption (SMTP TLS)
MX host certificates are valid
All MX hosts present valid, trusted, name-matched certificates with adequate key strength.
Pass
Transport Encryption (SMTP TLS)
All MX hosts negotiate AEAD cipher suites with forward secrecy
All MX hosts negotiate modern AEAD cipher suites (GCM or CHACHA20-POLY1305) with ECDHE key exchange or TLS 1.3, providing both forward secrecy and authenticated encryption.
Pass
Certificate Binding (DANE)
Learn how it works
Info
1/5 pass
Certificate Binding (DANE)
Inbound mail routing is defined
The domain publishes MX records, or a null MX record correctly declaring that it does not accept inbound mail.
Pass
Certificate Binding (DANE)
No MX host TLSA zone is protected by DNSSEC
None of the MX hosts have DNSSEC on their TLSA lookup zones. DANE SMTP cannot function without DNSSEC, as sending servers will ignore TLSA records from unsigned zones.
Critical
Certificate Binding (DANE)
TLSA coverage was not evaluated
TLSA coverage evaluation was skipped because no MX hosts were discovered or DNSSEC is not available.
No impact on score or coverage
Skipped
Certificate Binding (DANE)
TLSA parameter quality was not evaluated
TLSA parameter evaluation was skipped because no usable TLSA records were found.
No impact on score or coverage
Skipped
Certificate Binding (DANE)
Certificate match was not evaluated
Certificate verification was skipped because no usable TLSA records are published for the MX hosts.
No impact on score or coverage
Skipped
Mail Servers (MX)
Learn how it works
Info
3/3 pass
Mail Servers (MX)
MX records are published
The domain publishes at least one MX record with a hostname.
Pass
Mail Servers (MX)
MX hosts are structurally valid
All MX records point to valid hostnames that are not CNAME aliases or IP address literals.
Pass
Mail Servers (MX)
All MX hosts resolve to public addresses
Every MX hostname resolves only to publicly routable IP addresses, with no reserved or unresolved addresses.
Pass
Transport Policy (MTA-STS)
Learn how it works
Info
1/6 pass
Transport Policy (MTA-STS)
Inbound mail routing is defined
The domain publishes MX records, or a null MX record correctly declaring that it does not accept inbound mail.
Pass
Transport Policy (MTA-STS)
MTA-STS DNS record is missing
The domain does not publish an MTA-STS TXT record, so sending servers cannot discover or enforce an MTA-STS policy.
High
Transport Policy (MTA-STS)
MTA-STS policy fetch was not evaluated
Policy fetch was skipped because the domain does not have a valid MTA-STS DNS record.
No impact on score or coverage
Skipped
Transport Policy (MTA-STS)
MTA-STS policy syntax was not evaluated
Policy syntax evaluation was skipped because the policy file could not be fetched.
No impact on score or coverage
Skipped
Transport Policy (MTA-STS)
MTA-STS mode was not evaluated
Mode evaluation was skipped because the policy file is not available or has invalid syntax.
No impact on score or coverage
Skipped
Transport Policy (MTA-STS)
MTA-STS MX coverage was not evaluated
MX coverage evaluation was skipped because the policy file is not available, has invalid syntax, or the domain does not accept mail.
No impact on score or coverage
Skipped
TLS Reporting (TLS-RPT)
Learn how it works
Info
1/4 pass
TLS Reporting (TLS-RPT)
Inbound mail routing is defined
The domain publishes MX records, or a null MX record correctly declaring that it does not accept inbound mail.
Pass
TLS Reporting (TLS-RPT)
No TLS-RPT record found
The domain does not publish a TLS-RPT record. Sending servers cannot report TLS errors to this domain.
High
TLS Reporting (TLS-RPT)
TLS-RPT syntax was not evaluated
Syntax evaluation was skipped because the domain does not have exactly one TLS-RPT record.
No impact on score or coverage
Skipped
TLS Reporting (TLS-RPT)
TLS-RPT rua quality was not evaluated
Reporting URI evaluation was skipped because the domain does not have a syntactically valid TLS-RPT record.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
Learn how it works
Info
0/6 pass
Brand Indicators (BIMI)
BIMI record was not evaluated
The domain does not publish a BIMI record or has explicitly refused BIMI participation. BIMI is optional and no action is required.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI syntax was not evaluated
Syntax evaluation was skipped because the domain does not publish a single BIMI record.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
DMARC prerequisite was not evaluated
The DMARC prerequisite check was skipped because the domain does not publish a single valid BIMI record.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI logo accessibility was not evaluated
Logo accessibility check was skipped because the domain does not have a valid BIMI record with a logo URL.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI logo format was not evaluated
Logo format check was skipped because the logo could not be retrieved.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI certificate was not evaluated
Certificate validation was skipped because the BIMI record does not include a VMC/CMC certificate URL. BIMI without a certificate is accepted by some providers but not Gmail or Apple Mail.
No impact on score or coverage
Skipped
DNS
100%
DNS Integrity (DNSSEC)
Learn how it works
Info
0/6 pass
DNS Integrity (DNSSEC)
DNSSEC is not enabled
The parent zone does not publish a DS record for this domain.
Medium
DNS Integrity (DNSSEC)
DNSKEY publication was not evaluated
DNSKEY evaluation was skipped because the parent zone does not publish a DS record.
No impact on score or coverage
Skipped
DNS Integrity (DNSSEC)
DS and DNSKEY matching was not evaluated
DS/DNSKEY matching was skipped because required DNSSEC records are missing.
No impact on score or coverage
Skipped
DNS Integrity (DNSSEC)
DNSKEY RRset signature was not evaluated
DNSKEY signature validation was skipped because DS/DNSKEY matching did not produce a valid trust path.
No impact on score or coverage
Skipped
DNS Integrity (DNSSEC)
Zone RRset signature was not evaluated
Zone RRset validation was skipped because earlier DNSSEC validation steps failed.
No impact on score or coverage
Skipped
DNS Integrity (DNSSEC)
DNSSEC algorithm policy was not evaluated
Algorithm policy evaluation was skipped because DNSSEC validation prerequisites were not met.
No impact on score or coverage
Skipped
Web
100%
Disclosure Policy (security.txt)
Learn how it works
Info
4/4 pass
Disclosure Policy (security.txt)
security.txt is accessible at the canonical location
The domain serves a security.txt file at /.well-known/security.txt over HTTPS with the correct Content-Type.
Pass
Disclosure Policy (security.txt)
Contact field is valid
The security.txt file contains at least one Contact field with a valid URI.
Pass
Disclosure Policy (security.txt)
Expires field is valid
The security.txt file contains a valid Expires date that is in the future and within the recommended one-year window.
Pass
Disclosure Policy (security.txt)
Canonical field is valid
The Canonical field is either absent (which is acceptable) or correctly lists the URL from which this file was retrieved.
Pass
Feedback