Blog
Contact
Sign in
Scan complete
F
0/100
hermeneutic.app
1 critical issue needs immediate attention.
10/10
checks
0
passed
finished
Scan timestamps
Created
Jul 9, 2026, 2:58 AM
Started
Jul 9, 2026, 2:58 AM
Finished
Jul 9, 2026, 2:58 AM
Updated
Jul 9, 2026, 2:58 AM
Export PDF
Re-scan
Findings by severity
11 results
1
Critical
9
High
1
Medium
0
Low
0
Pass
Report coverage
92%
1 couldn’t be evaluated · 41 skipped - these limit completeness.
1 error
41 skipped
All
53
Critical
1
High
9
Medium
1
Error
1
Skipped
41
Email
96%
Sender Authentication (SPF)
Learn how it works
Info
0/7 pass
Sender Authentication (SPF)
No SPF record found
The domain does not publish an SPF policy.
High
Sender Authentication (SPF)
SPF syntax was not evaluated
Syntax evaluation was skipped because the domain does not have exactly one SPF record.
No impact on score or coverage
Skipped
Sender Authentication (SPF)
SPF policy terminator was not evaluated
Policy terminator evaluation was skipped because the domain does not have a valid SPF record.
No impact on score or coverage
Skipped
Sender Authentication (SPF)
SPF DNS lookup limit was not evaluated
Lookup limit evaluation was skipped because the domain does not have a valid SPF record.
No impact on score or coverage
Skipped
Sender Authentication (SPF)
SPF delegated policy validity was not evaluated
Delegated policy evaluation was skipped because the domain does not have a valid SPF record.
No impact on score or coverage
Skipped
Sender Authentication (SPF)
SPF deprecated mechanisms were not evaluated
Deprecated mechanisms check was skipped because the domain does not have a valid SPF record.
No impact on score or coverage
Skipped
Sender Authentication (SPF)
SPF authorization scope was not evaluated
Authorization scope evaluation was skipped because the domain does not have a valid SPF record.
No impact on score or coverage
Skipped
Domain Alignment (DMARC)
Learn how it works
Info
0/7 pass
Domain Alignment (DMARC)
No DMARC record found
The domain does not publish a DMARC policy.
High
Domain Alignment (DMARC)
DMARC syntax was not evaluated
Syntax evaluation was skipped because the domain does not have exactly one DMARC record.
No impact on score or coverage
Skipped
Domain Alignment (DMARC)
DMARC policy was not evaluated
Policy evaluation was skipped because the domain does not have a valid DMARC record.
No impact on score or coverage
Skipped
Domain Alignment (DMARC)
DMARC subdomain policy was not evaluated
Subdomain policy evaluation was skipped because the domain does not have a valid applicable DMARC record.
No impact on score or coverage
Skipped
Domain Alignment (DMARC)
DMARC pct was not evaluated
Percentage enforcement was skipped because there is no active enforcement policy to sample.
No impact on score or coverage
Skipped
Domain Alignment (DMARC)
DMARC reporting was not evaluated
Reporting evaluation was skipped because the domain does not have a valid DMARC record.
No impact on score or coverage
Skipped
Domain Alignment (DMARC)
DMARC alignment was not evaluated
Alignment evaluation was skipped because the domain does not have a valid DMARC record.
No impact on score or coverage
Skipped
Transport Encryption (SMTP TLS)
Learn how it works
Info
0/5 pass
Transport Encryption (SMTP TLS)
No MX records found
The domain does not publish MX records, so SMTP TLS cannot be evaluated.
High
Transport Encryption (SMTP TLS)
STARTTLS support was not evaluated
STARTTLS evaluation was skipped because no MX hosts were discovered.
No impact on score or coverage
Skipped
Transport Encryption (SMTP TLS)
TLS protocol version was not evaluated
TLS protocol evaluation was skipped because STARTTLS is not available on any MX host.
No impact on score or coverage
Skipped
Transport Encryption (SMTP TLS)
Certificate validity was not evaluated
Certificate evaluation was skipped because STARTTLS is not available on any MX host.
No impact on score or coverage
Skipped
Transport Encryption (SMTP TLS)
Cipher quality was not evaluated
Cipher evaluation was skipped because STARTTLS is not available on any MX host.
No impact on score or coverage
Skipped
Certificate Binding (DANE)
Learn how it works
Info
0/5 pass
Certificate Binding (DANE)
No MX records published
The domain publishes no MX record, so inbound mail falls back to its A/AAAA host. DANE was still evaluated against that host, but an explicit MX record should be published.
High
Certificate Binding (DANE)
No MX host TLSA zone is protected by DNSSEC
None of the MX hosts have DNSSEC on their TLSA lookup zones. DANE SMTP cannot function without DNSSEC, as sending servers will ignore TLSA records from unsigned zones.
Critical
Certificate Binding (DANE)
TLSA coverage was not evaluated
TLSA coverage evaluation was skipped because no MX hosts were discovered or DNSSEC is not available.
No impact on score or coverage
Skipped
Certificate Binding (DANE)
TLSA parameter quality was not evaluated
TLSA parameter evaluation was skipped because no usable TLSA records were found.
No impact on score or coverage
Skipped
Certificate Binding (DANE)
Certificate match was not evaluated
Certificate verification was skipped because no usable TLSA records are published for the MX hosts.
No impact on score or coverage
Skipped
Mail Servers (MX)
Learn how it works
Info
0/3 pass
Mail Servers (MX)
No MX records found
The domain does not publish MX records. Sending MTAs fall back to the A record, which is not a substitute for a proper MX configuration.
High
Mail Servers (MX)
MX host validity was not evaluated
Host validity evaluation was skipped because the domain does not have regular MX records.
No impact on score or coverage
Skipped
Mail Servers (MX)
MX host resolvability was not evaluated
Resolvability evaluation was skipped because there are no FQDN MX hosts to check.
No impact on score or coverage
Skipped
Transport Policy (MTA-STS)
Learn how it works
Info
0/6 pass
Transport Policy (MTA-STS)
No MX records published
The domain publishes no MX record, so inbound mail falls back to its A/AAAA host. MTA-STS was still evaluated, but an explicit MX record should be published.
High
Transport Policy (MTA-STS)
MTA-STS DNS record is missing
The domain does not publish an MTA-STS TXT record, so sending servers cannot discover or enforce an MTA-STS policy.
High
Transport Policy (MTA-STS)
MTA-STS policy fetch was not evaluated
Policy fetch was skipped because the domain does not have a valid MTA-STS DNS record.
No impact on score or coverage
Skipped
Transport Policy (MTA-STS)
MTA-STS policy syntax was not evaluated
Policy syntax evaluation was skipped because the policy file could not be fetched.
No impact on score or coverage
Skipped
Transport Policy (MTA-STS)
MTA-STS mode was not evaluated
Mode evaluation was skipped because the policy file is not available or has invalid syntax.
No impact on score or coverage
Skipped
Transport Policy (MTA-STS)
MTA-STS MX coverage was not evaluated
MX coverage evaluation was skipped because the policy file is not available, has invalid syntax, or the domain does not accept mail.
No impact on score or coverage
Skipped
TLS Reporting (TLS-RPT)
Learn how it works
Info
0/4 pass
TLS Reporting (TLS-RPT)
No MX records published
The domain publishes no MX record, so inbound mail falls back to its A/AAAA host. TLS-RPT was still evaluated, but an explicit MX record should be published.
High
TLS Reporting (TLS-RPT)
No TLS-RPT record found
The domain does not publish a TLS-RPT record. Sending servers cannot report TLS errors to this domain.
High
TLS Reporting (TLS-RPT)
TLS-RPT syntax was not evaluated
Syntax evaluation was skipped because the domain does not have exactly one TLS-RPT record.
No impact on score or coverage
Skipped
TLS Reporting (TLS-RPT)
TLS-RPT rua quality was not evaluated
Reporting URI evaluation was skipped because the domain does not have a syntactically valid TLS-RPT record.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
Learn how it works
Info
0/6 pass
Brand Indicators (BIMI)
BIMI record was not evaluated
The domain does not publish a BIMI record or has explicitly refused BIMI participation. BIMI is optional and no action is required.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI syntax was not evaluated
Syntax evaluation was skipped because the domain does not publish a single BIMI record.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
DMARC prerequisite was not evaluated
The DMARC prerequisite check was skipped because the domain does not publish a single valid BIMI record.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI logo accessibility was not evaluated
Logo accessibility check was skipped because the domain does not have a valid BIMI record with a logo URL.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI logo format was not evaluated
Logo format check was skipped because the logo could not be retrieved.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI certificate was not evaluated
Certificate validation was skipped because the BIMI record does not include a VMC/CMC certificate URL. BIMI without a certificate is accepted by some providers but not Gmail or Apple Mail.
No impact on score or coverage
Skipped
DNS
100%
DNS Integrity (DNSSEC)
Learn how it works
Info
0/6 pass
DNS Integrity (DNSSEC)
DNSSEC is not enabled
The parent zone does not publish a DS record for this domain.
Medium
DNS Integrity (DNSSEC)
DNSKEY publication was not evaluated
DNSKEY evaluation was skipped because the parent zone does not publish a DS record.
No impact on score or coverage
Skipped
DNS Integrity (DNSSEC)
DS and DNSKEY matching was not evaluated
DS/DNSKEY matching was skipped because required DNSSEC records are missing.
No impact on score or coverage
Skipped
DNS Integrity (DNSSEC)
DNSKEY RRset signature was not evaluated
DNSKEY signature validation was skipped because DS/DNSKEY matching did not produce a valid trust path.
No impact on score or coverage
Skipped
DNS Integrity (DNSSEC)
Zone RRset signature was not evaluated
Zone RRset validation was skipped because earlier DNSSEC validation steps failed.
No impact on score or coverage
Skipped
DNS Integrity (DNSSEC)
DNSSEC algorithm policy was not evaluated
Algorithm policy evaluation was skipped because DNSSEC validation prerequisites were not met.
No impact on score or coverage
Skipped
Web
Disclosure Policy (security.txt)
Learn how it works
Info
0/4 pass
Disclosure Policy (security.txt)
security.txt could not be retrieved
The security.txt endpoint could not be reached due to a network, TLS, or DNS error.
Doesn’t affect score · lowers coverage
Error
Disclosure Policy (security.txt)
Contact field was not evaluated
Contact field evaluation was skipped because the security.txt file is not accessible.
No impact on score or coverage
Skipped
Disclosure Policy (security.txt)
Expires field was not evaluated
Expires field evaluation was skipped because the security.txt file is not accessible.
No impact on score or coverage
Skipped
Disclosure Policy (security.txt)
Canonical field was not evaluated
Canonical field evaluation was skipped because the security.txt file is not accessible.
No impact on score or coverage
Skipped
Feedback