Security Snapshot: [your-domain].com

Scope & Limitations: This report reflects external observations only. It does not assess internal systems, application code, authentication mechanisms, or infrastructure configuration. Findings are based on publicly observable signals at the time of scan. DKIM detection is best-effort only — a negative result does not confirm DKIM is absent. WHOIS data accuracy depends on registrar cooperation. Port checks use short timeouts and may miss firewalled services.

Key Findings

MEDIUM DMARC record missing

No DMARC record found. Without DMARC, email receivers cannot take action on SPF/DKIM failures, making domain spoofing easier.

LOW Missing security header: Strict-Transport-Security

Enforces HTTPS connections and prevents SSL stripping attacks.

LOW Missing security header: Content-Security-Policy

Mitigates cross-site scripting and data injection attacks.

LOW Missing security header: X-Frame-Options

Prevents clickjacking by controlling iframe embedding.

LOW Missing security header: X-Content-Type-Options

Prevents browsers from MIME-sniffing the content type.

Observations

Informational observations do not affect the risk score. They reflect scan limitations, infrastructure notes, and other non-actionable signals.

INFO Missing security header: Referrer-Policy

Controls how much referrer information is included with requests.

INFO Missing security header: Permissions-Policy

Controls browser feature access (camera, microphone, geolocation, etc.).

INFO Email provider: Google Workspace detected

MX records indicate that Google Workspace handles email for this domain. This is an informational observation.

Recommendations

Publish a DMARC record: _dmarc.[your-domain].com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@[your-domain].com"
Add: Strict-Transport-Security: max-age=31536000; includeSubDomains
Define a Content-Security-Policy appropriate for your application.
Add: X-Frame-Options: DENY or SAMEORIGIN
Add: X-Content-Type-Options: nosniff
Add: Referrer-Policy: strict-origin-when-cross-origin
Add a Permissions-Policy header to restrict unnecessary browser APIs.

Positive Signals

✓ SPF record is present
✓ Valid TLS certificate installed
✓ TLS 1.3 supported
✓ Certificate hostname matches domain

Email Security

SPF Record	PASS	v=spf1 include:_spf.google.com ~all
DMARC Record	FAIL	DMARC record not found
DMARC Policy	—	N/A
DKIM Detected	PASS	google
DKIM Note	—	DKIM selector names are not publicly enumerable. A negative result here does not confirm DKIM is absent.

TLS / Certificate

Connected	PASS
Issuer	—	Let's Encrypt
Subject (CN)	—	[your-domain].com
Expires	—	2026-09-15 00:00:00+00:00
Days Remaining	—	171 days
Hostname Match	PASS
TLS Version	—	TLSv1.3

Security Headers

URL Checked	—	https://[your-domain].com
Strict-Transport-Security	FAIL	missing
Content-Security-Policy	FAIL	missing
X-Frame-Options	FAIL	missing
X-Content-Type-Options	FAIL	missing
Referrer-Policy	FAIL	missing
Permissions-Policy	FAIL	missing

Port Exposure

Port 80 (HTTP)	OPEN	Unencrypted web traffic
Port 443 (HTTPS)	OPEN	Encrypted web traffic
Port 25 (SMTP)	CLOSED	Direct mail relay — often blocked by ISPs
Port 465 (SMTPS)	CLOSED	Encrypted SMTP submission
Port 587 (SMTP/STARTTLS)	CLOSED	Modern authenticated mail submission
Port 8080 (HTTP-alt)	CLOSED	Common alternate web port
Port 8443 (HTTPS-alt)	CLOSED	Common alternate HTTPS port

DNS Health

A Records	—	203.0.113.42, 203.0.113.91
AAAA Records	—	none
MX Records	—	10 aspmx.l.google.com., 20 alt1.aspmx.l.google.com., 30 alt2.aspmx.l.google.com.
Nameservers	—	ns1.example-registrar.com., ns2.example-registrar.com.

WHOIS / Domain Info

Registrar	—	Namecheap, Inc.
Created	—	2018-05-14
Expires	—	2027-05-14
Domain Age	—	2875 days