Blog
Contact
Sign in
Scan complete
C
78/100
culm.net
Improved · +1
Compare
2 high-risk issues to fix.
10/10
checks
34
passed
finished
Scan timestamps
Created
Jul 13, 2026, 8:02 PM
Started
Jul 13, 2026, 8:02 PM
Finished
Jul 13, 2026, 8:02 PM
Updated
Jul 13, 2026, 8:02 PM
Export PDF
Re-scan
Findings by severity
37 results
0
Critical
2
High
1
Medium
0
Low
34
Pass
Report coverage
92%
1 couldn’t be evaluated · 15 skipped - these limit completeness.
1 error
15 skipped
All
53
High
2
Medium
1
Pass
34
Error
1
Skipped
15
Email
96%
Sender Authentication (SPF)
Learn how it works
Info
6/7 pass
Sender Authentication (SPF)
SPF record is published
The domain publishes exactly one SPF TXT record.
Pass
Sender Authentication (SPF)
SPF syntax is valid
The SPF record is syntactically valid.
Pass
Sender Authentication (SPF)
SPF policy does not use strict fail mode
The SPF policy does not fully reject unauthorized senders.
Medium
Sender Authentication (SPF)
SPF DNS lookup limit is not exceeded
The SPF policy stays within the DNS lookup limit.
Pass
Sender Authentication (SPF)
SPF delegated policies are valid
All include and redirect targets resolve to valid SPF policies.
Pass
Sender Authentication (SPF)
SPF record avoids deprecated mechanisms
The SPF policy does not use discouraged SPF mechanisms.
Pass
Sender Authentication (SPF)
SPF authorization scope is constrained
The SPF policy does not authorize obviously overbroad IP ranges.
Pass
Domain Alignment (DMARC)
Learn how it works
Info
7/7 pass
Domain Alignment (DMARC)
DMARC record is published
The domain publishes exactly one DMARC TXT record.
Pass
Domain Alignment (DMARC)
DMARC syntax is valid
The DMARC record is syntactically valid.
Pass
Domain Alignment (DMARC)
DMARC policy rejects unauthenticated mail
The DMARC policy requests rejection of mail that fails DMARC validation.
Pass
Domain Alignment (DMARC)
DMARC subdomain policy rejects unauthenticated mail
Subdomains are protected by an effective reject policy.
Pass
Domain Alignment (DMARC)
DMARC policy applies to all failing mail
The DMARC policy is applied to 100% of failing messages.
Pass
Domain Alignment (DMARC)
DMARC aggregate reporting is configured
The DMARC record contains a valid aggregate reporting destination.
Pass
Domain Alignment (DMARC)
DMARC alignment is strict
The DMARC record requires strict DKIM and SPF alignment.
Pass
Transport Encryption (SMTP TLS)
Learn how it works
Info
5/5 pass
Transport Encryption (SMTP TLS)
MX hosts discovered
The domain has at least one MX host configured.
Pass
Transport Encryption (SMTP TLS)
STARTTLS is available on all MX hosts
All MX hosts advertise and accept STARTTLS and present a valid SMTP session.
Pass
Transport Encryption (SMTP TLS)
All MX hosts negotiate TLS 1.3
All MX hosts negotiate TLS 1.3, the current recommended protocol version.
Pass
Transport Encryption (SMTP TLS)
MX host certificates are valid
All MX hosts present valid, trusted, name-matched certificates with adequate key strength.
Pass
Transport Encryption (SMTP TLS)
All MX hosts negotiate AEAD cipher suites with forward secrecy
All MX hosts negotiate modern AEAD cipher suites (GCM or CHACHA20-POLY1305) with ECDHE key exchange or TLS 1.3, providing both forward secrecy and authenticated encryption.
Pass
Certificate Binding (DANE)
Learn how it works
Info
5/5 pass
Certificate Binding (DANE)
Inbound mail routing is defined
The domain publishes MX records, or a null MX record correctly declaring that it does not accept inbound mail.
Pass
Certificate Binding (DANE)
DNSSEC covers all TLSA lookup zones
All MX hosts have their TLSA lookup zones protected by DNSSEC. Sending servers can trust the TLSA records.
Pass
Certificate Binding (DANE)
All MX hosts have TLSA records
Every MX host has at least one usable DANE TLSA record published. Sending servers that support DANE can authenticate all inbound mail paths.
Pass
Certificate Binding (DANE)
DANE TLSA parameters are recommended
All TLSA records use recommended certificate usage, selector, and matching type parameters suitable for SMTP DANE.
Pass
Certificate Binding (DANE)
MX certificates match TLSA records
The TLS certificates presented by all MX hosts on port 25 match their published TLSA records. DANE end-to-end verification passed.
Pass
Mail Servers (MX)
Learn how it works
Info
3/3 pass
Mail Servers (MX)
MX records are published
The domain publishes at least one MX record with a hostname.
Pass
Mail Servers (MX)
MX hosts are structurally valid
All MX records point to valid hostnames that are not CNAME aliases or IP address literals.
Pass
Mail Servers (MX)
All MX hosts resolve to public addresses
Every MX hostname resolves only to publicly routable IP addresses, with no reserved or unresolved addresses.
Pass
Transport Policy (MTA-STS)
Learn how it works
Info
1/6 pass
Transport Policy (MTA-STS)
Inbound mail routing is defined
The domain publishes MX records, or a null MX record correctly declaring that it does not accept inbound mail.
Pass
Transport Policy (MTA-STS)
MTA-STS DNS record is missing
The domain does not publish an MTA-STS TXT record, so sending servers cannot discover or enforce an MTA-STS policy.
High
Transport Policy (MTA-STS)
MTA-STS policy fetch was not evaluated
Policy fetch was skipped because the domain does not have a valid MTA-STS DNS record.
No impact on score or coverage
Skipped
Transport Policy (MTA-STS)
MTA-STS policy syntax was not evaluated
Policy syntax evaluation was skipped because the policy file could not be fetched.
No impact on score or coverage
Skipped
Transport Policy (MTA-STS)
MTA-STS mode was not evaluated
Mode evaluation was skipped because the policy file is not available or has invalid syntax.
No impact on score or coverage
Skipped
Transport Policy (MTA-STS)
MTA-STS MX coverage was not evaluated
MX coverage evaluation was skipped because the policy file is not available, has invalid syntax, or the domain does not accept mail.
No impact on score or coverage
Skipped
TLS Reporting (TLS-RPT)
Learn how it works
Info
1/4 pass
TLS Reporting (TLS-RPT)
Inbound mail routing is defined
The domain publishes MX records, or a null MX record correctly declaring that it does not accept inbound mail.
Pass
TLS Reporting (TLS-RPT)
No TLS-RPT record found
The domain does not publish a TLS-RPT record. Sending servers cannot report TLS errors to this domain.
High
TLS Reporting (TLS-RPT)
TLS-RPT syntax was not evaluated
Syntax evaluation was skipped because the domain does not have exactly one TLS-RPT record.
No impact on score or coverage
Skipped
TLS Reporting (TLS-RPT)
TLS-RPT rua quality was not evaluated
Reporting URI evaluation was skipped because the domain does not have a syntactically valid TLS-RPT record.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
Learn how it works
Info
0/6 pass
Brand Indicators (BIMI)
BIMI record was not evaluated
The domain does not publish a BIMI record or has explicitly refused BIMI participation. BIMI is optional and no action is required.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI syntax was not evaluated
Syntax evaluation was skipped because the domain does not publish a single BIMI record.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
DMARC prerequisite was not evaluated
The DMARC prerequisite check was skipped because the domain does not publish a single valid BIMI record.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI logo accessibility was not evaluated
Logo accessibility check was skipped because the domain does not have a valid BIMI record with a logo URL.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI logo format was not evaluated
Logo format check was skipped because the logo could not be retrieved.
No impact on score or coverage
Skipped
Brand Indicators (BIMI)
BIMI certificate was not evaluated
Certificate validation was skipped because the BIMI record does not include a VMC/CMC certificate URL. BIMI without a certificate is accepted by some providers but not Gmail or Apple Mail.
No impact on score or coverage
Skipped
DNS
100%
DNS Integrity (DNSSEC)
Learn how it works
Info
6/6 pass
DNS Integrity (DNSSEC)
DNSSEC DS record is published
The parent zone publishes a DS record for this domain.
Pass
DNS Integrity (DNSSEC)
DNSKEY records are published
The child zone publishes DNSKEY records required for DNSSEC validation.
Pass
DNS Integrity (DNSSEC)
DS records match DNSKEY records
At least one DS record matches a DNSKEY record in the child zone.
Pass
DNS Integrity (DNSSEC)
DNSKEY RRset signature is valid
The DNSKEY RRset is signed and its signature validates correctly.
Pass
DNS Integrity (DNSSEC)
Zone RRset signature is valid
The zone SOA RRset is signed and its signature validates correctly.
Pass
DNS Integrity (DNSSEC)
DNSSEC algorithms are acceptable
The DNSSEC algorithms and DS digest types are accepted by the validation policy.
Pass
Web
Disclosure Policy (security.txt)
Learn how it works
Info
0/4 pass
Disclosure Policy (security.txt)
security.txt could not be retrieved
The security.txt endpoint could not be reached due to a network, TLS, or DNS error.
Doesn’t affect score · lowers coverage
Error
Disclosure Policy (security.txt)
Contact field was not evaluated
Contact field evaluation was skipped because the security.txt file is not accessible.
No impact on score or coverage
Skipped
Disclosure Policy (security.txt)
Expires field was not evaluated
Expires field evaluation was skipped because the security.txt file is not accessible.
No impact on score or coverage
Skipped
Disclosure Policy (security.txt)
Canonical field was not evaluated
Canonical field evaluation was skipped because the security.txt file is not accessible.
No impact on score or coverage
Skipped
Feedback