Email Security
How secure is your
email domain?
Checks DMARC, DKIM, SPF, MX, MTA-STS and TLS-RPT for your domain — right from your browser, no sign-up.
Results for
SPF
DKIM
MX
MTA-STS
TLS-RPT
Background
Why email authentication is business-critical.
What is DMARC?
DMARC tells receiving mail servers what to do with messages that fail SPF or DKIM. Without DMARC, anyone can forge your domain in the From address.
Why does it matter?
Google and Microsoft have required DMARC for bulk senders since February 2024. Without authentication, marketing and transactional email lands in spam — or is rejected outright.
What are your next steps?
Start with p=none to monitor, review the reports for 2–4 weeks, then
escalate to p=quarantine and p=reject. We guide you the
whole way there.
Web Security
How secure is your
website?
Evaluates your website's HTTP security headers via the MDN HTTP Observatory — Content-Security-Policy, HSTS, X-Content-Type-Options and more. Graded A+ to F.
Result for
HTTP Observatory Website
Benchmark
Grade distribution across all websites scanned by MDN — your current grade is highlighted.
Background
Why HTTP security headers protect your visitors.
What does the Observatory check?
The MDN HTTP Observatory evaluates your website's security headers — Content-Security-Policy, HSTS, X-Content-Type-Options and more — and assigns a grade from A+ to F.
Why does it matter?
Missing headers open the door to cross-site scripting, clickjacking and protocol downgrades. A good grade measurably reduces your web attack surface.
What are your next steps?
Start with HSTS and X-Content-Type-Options, add a
Content-Security-Policy and re-test. We're happy to set the headers up
for you.
DNS Integrity
Is your DNS zone signed?
Checks your domain's DNSSEC chain of trust: whether the zone is signed, anchored at the parent (DS record) and confirmed by validating resolvers. Also detects broken signature chains.
Result for
DNSSEC
Background
Why DNSSEC builds trust.
What is DNSSEC?
DNSSEC cryptographically signs your DNS records. Validating resolvers can then tell whether a response is authentic or was tampered with in transit.
Why does it matter?
Without DNSSEC, attackers can redirect visitors and email to forged servers via cache poisoning or spoofing. With signatures and a DS record at the parent, the chain of trust is closed.
What are your next steps?
Enable DNSSEC at your DNS provider (one click at Cloudflare) and add the
DS record at your registrar. We support the rollout.
Generating report …
Sentry0