Security Snapshot: [your-domain].com

Generated: 2026-03-28 11:03:29 UTC — Sample Report

⛔ Risk Level: HIGH
Risk Score: 72 / 100
Overall risk: HIGH. Findings: 3 HIGH, 2 MEDIUM, 3 LOW, 1 INFO. Immediate attention recommended.
Action required: This domain has multiple high-severity findings that represent meaningful exposure. The certificate expiry and open mail relay are the highest priority items.
Scope & Limitations: This report reflects external observations only. It does not assess internal systems, application code, authentication mechanisms, or infrastructure configuration. Findings are based on publicly observable signals at the time of scan. DKIM detection is best-effort only — a negative result does not confirm DKIM is absent. WHOIS data accuracy depends on registrar cooperation. Port checks use short timeouts and may miss firewalled services.

Key Findings

HIGH TLS certificate expires in 14 days

The certificate for [your-domain].com expires on 2026-04-11. Browsers will display security warnings to all visitors after expiry, and many services will refuse to connect. Renew immediately.

HIGH SMTP relay open to the internet (port 25)

Port 25 is publicly accessible and accepting connections. A self-hosted mail server on this port without strict relay controls can be used to send spam under your domain, damaging your sending reputation and potentially blacklisting your IP.

HIGH Unencrypted HTTP serving content (not redirecting)

The site serves content over plain HTTP without redirecting to HTTPS. Any data submitted by visitors — including contact forms — is transmitted without encryption and can be intercepted.

MEDIUM DMARC record missing

No DMARC record found. Combined with SPF soft-fail, this means there is no enforcement policy in place. Spoofed emails appearing to come from your domain are likely to be delivered.

MEDIUM SPF record uses soft-fail (~all)

The SPF policy allows spoofed messages from your domain to reach recipients' inboxes. A hard-fail (-all) policy would instruct receivers to reject them.

LOW Missing security header: Strict-Transport-Security

Enforces HTTPS connections and prevents SSL stripping. Required alongside an HTTPS redirect to be effective.

LOW Missing security header: X-Frame-Options

Prevents clickjacking by controlling iframe embedding of your site.

LOW Missing security header: X-Content-Type-Options

Prevents browsers from MIME-sniffing the content type.

Observations

Informational observations do not affect the risk score.

INFO Self-hosted mail server detected

MX records point to mail.[your-domain].com rather than a managed provider. Self-hosted mail servers require ongoing maintenance and are a common source of configuration gaps.

Recommendations

  1. Renew the TLS certificate immediately. Contact your hosting provider or certificate authority. If using Let's Encrypt, run certbot renew.
  2. Restrict SMTP relay. If port 25 must be open, configure your mail server to only relay authenticated and authorised senders. Consider moving to a managed email provider.
  3. Enable HTTPS redirect. Configure your web server to issue a 301 redirect from HTTP to HTTPS for all requests.
  4. Publish a DMARC record to give receivers a policy for handling failures: v=DMARC1; p=reject; rua=mailto:dmarc@[your-domain].com
  5. Tighten SPF from ~all to -all once you have confirmed all legitimate sending sources are included.
  6. Add Strict-Transport-Security: max-age=31536000; includeSubDomains once HTTPS redirect is in place.
  7. Add X-Frame-Options: SAMEORIGIN and X-Content-Type-Options: nosniff to all HTTP responses.

Positive Signals

DKIM signature detected
TLS certificate installed (expiry action required)
Port 8080 and 8443 not publicly reachable

Email Security

SPF RecordWARNv=spf1 ip4:198.51.100.23 ~all
DMARC RecordFAILDMARC record not found
DMARC PolicyN/A
DKIM DetectedPASSmail
DKIM NoteDKIM selector names are not publicly enumerable. A negative result here does not confirm DKIM is absent.

TLS / Certificate

ConnectedPASS
IssuerLet's Encrypt
Subject (CN)[your-domain].com
Expires2026-04-11 00:00:00+00:00
Days Remaining14Renew immediately
Hostname MatchPASS
TLS VersionTLSv1.2

Security Headers

URL Checkedhttp://[your-domain].com (no HTTPS redirect)
Strict-Transport-SecurityFAILmissing
Content-Security-PolicyFAILmissing
X-Frame-OptionsFAILmissing
X-Content-Type-OptionsFAILmissing
Referrer-PolicyFAILmissing
Permissions-PolicyFAILmissing

Port Exposure

Port 80 (HTTP)OPENServing content unencrypted — no HTTPS redirect
Port 443 (HTTPS)OPENEncrypted web traffic
Port 25 (SMTP)OPENDirect mail relay — accepting connections
Port 465 (SMTPS)OPENEncrypted SMTP submission
Port 587 (SMTP/STARTTLS)OPENAuthenticated mail submission
Port 8080 (HTTP-alt)CLOSEDCommon alternate web port
Port 8443 (HTTPS-alt)CLOSEDCommon alternate HTTPS port

DNS Health

A Records198.51.100.23
AAAA Recordsnone
MX Records10 mail.[your-domain].com.
Nameserversns1.example-registrar.com., ns2.example-registrar.com.

WHOIS / Domain Info

RegistrarGoDaddy.com, LLC
Created2011-08-22
Expires2027-08-22
Domain Age5331 days