Good news: This domain is well-configured. The findings below are minor and do not represent immediate risk. The recommendations section includes optional improvements.
Scope & Limitations:
This report reflects external observations only. It does not assess internal systems,
application code, authentication mechanisms, or infrastructure configuration. Findings
are based on publicly observable signals at the time of scan. DKIM detection is best-effort
only — a negative result does not confirm DKIM is absent. WHOIS data accuracy depends on
registrar cooperation. Port checks use short timeouts and may miss firewalled services.
Key Findings
LOW
DMARC policy set to quarantine, not reject
DMARC is present and active. The current policy (p=quarantine) routes suspicious emails to spam rather than rejecting them outright. Tightening to p=reject would provide stronger protection.
Observations
Informational observations do not affect the risk score.
INFO
Missing security header: Permissions-Policy
Controls browser feature access (camera, microphone, geolocation, etc.). Low priority for a primarily static site.
INFO
Email provider: Google Workspace detected
MX records indicate that Google Workspace handles email for this domain. This is an informational observation.
Recommendations
- Consider tightening DMARC policy from
p=quarantinetop=rejectonce you have confirmed legitimate mail is flowing correctly. - Optionally add a Permissions-Policy header to restrict unnecessary browser APIs.
Positive Signals
| ✓ SPF record is present and strict (-all) | ||
| ✓ DMARC record is present | ||
| ✓ Valid TLS certificate installed | ||
| ✓ TLS 1.3 supported | ||
| ✓ Certificate hostname matches domain | ||
| ✓ Certificate valid for 9+ months | ||
| ✓ Strict-Transport-Security header present | ||
| ✓ X-Frame-Options header present | ||
| ✓ X-Content-Type-Options header present | ||
| ✓ No unexpected ports open |
Email Security
| SPF Record | PASS | v=spf1 include:_spf.google.com -all |
| DMARC Record | PASS | v=DMARC1; p=quarantine; rua=mailto:dmarc@[your-domain].com |
| DMARC Policy | — | quarantine |
| DKIM Detected | PASS | |
| DKIM Note | — | DKIM selector names are not publicly enumerable. A negative result here does not confirm DKIM is absent. |
TLS / Certificate
| Connected | PASS | |
| Issuer | — | Let's Encrypt |
| Subject (CN) | — | [your-domain].com |
| Expires | — | 2026-12-18 00:00:00+00:00 |
| Days Remaining | — | 265 days |
| Hostname Match | PASS | |
| TLS Version | — | TLSv1.3 |
Security Headers
| URL Checked | — | https://[your-domain].com |
| Strict-Transport-Security | PASS | max-age=31536000; includeSubDomains |
| Content-Security-Policy | PASS | present |
| X-Frame-Options | PASS | SAMEORIGIN |
| X-Content-Type-Options | PASS | nosniff |
| Referrer-Policy | PASS | strict-origin-when-cross-origin |
| Permissions-Policy | FAIL | missing |
Port Exposure
| Port 80 (HTTP) | OPEN | Redirects to HTTPS — expected |
| Port 443 (HTTPS) | OPEN | Encrypted web traffic |
| Port 25 (SMTP) | CLOSED | Direct mail relay — often blocked by ISPs |
| Port 465 (SMTPS) | CLOSED | Encrypted SMTP submission |
| Port 587 (SMTP/STARTTLS) | CLOSED | Modern authenticated mail submission |
| Port 8080 (HTTP-alt) | CLOSED | Common alternate web port |
| Port 8443 (HTTPS-alt) | CLOSED | Common alternate HTTPS port |
DNS Health
| A Records | — | 203.0.113.15 |
| AAAA Records | — | none |
| MX Records | — | 10 aspmx.l.google.com., 20 alt1.aspmx.l.google.com., 30 alt2.aspmx.l.google.com. |
| Nameservers | — | ns1.example-registrar.com., ns2.example-registrar.com. |
WHOIS / Domain Info
| Registrar | — | Squarespace Domains |
| Created | — | 2021-02-09 |
| Expires | — | 2027-02-09 |
| Domain Age | — | 1873 days |