Methodology

How IntoDNS.ai Works

Our scanning methodology, scoring system, and the standards we check against.

Scanning Process

How Scanning Works

IntoDNS uses DNS-over-HTTPS (DoH) to query multiple authoritative resolvers: Cloudflare (1.1.1.1), Google (8.8.8.8), and Quad9 (9.9.9.9). This ensures accurate, tamper-resistant results from geographically diverse vantage points.

All checks are performed in real-time. We do not rely on cached results from third parties. Every scan queries live DNS records and HTTP headers directly.

Scans cover DNS configuration, email authentication (SPF, DKIM, DMARC), DNSSEC validation, IPv6 readiness, and security best practices including HTTP security headers and HTTPS enforcement.

Scoring

Scoring Categories

Your domain score is calculated across five weighted categories. Each category contributes to the overall grade based on its weight.

DNS Configuration

Weight: 20%
  • A/AAAA records
  • Nameserver redundancy
  • SOA correctness
  • CAA records
  • Geographic distribution

Email Security

Weight: 30%
  • SPF record validity and strictness
  • DKIM key discovery
  • DMARC policy enforcement
  • BIMI
  • MTA-STS

DNSSEC

Weight: 15%
  • DNSSEC chain validation
  • Signature validity

IPv6 Support

Weight: 15%
  • Website AAAA records
  • Mail server IPv6
  • Nameserver IPv6

Security Best Practices

Weight: 20%
  • HTTPS availability and redirect
  • HSTS
  • Security headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
  • CAA records
  • DANE/TLSA
  • security.txt
  • Blacklist status
Grading

Grading System

Your overall score maps to a letter grade. The grade reflects how well your domain is configured against industry standards.

A+
Excellent100% with all critical checks passed

Perfect security configuration

A
Very Good90-99%

Strong security posture

B
Good80-89%

Minor improvements possible

C
Average70-79%

Improvements recommended

D
Poor50-69%

Action needed

F
Critical0-49%

Critical security issues detected

Issue Severity Levels

Critical

Must fix

Recommended

Should fix

Optional

Nice-to-have

Info

Informational

Standards

Standards & RFCs

All checks are based on published IETF standards. These are the RFCs that define the protocols we validate.

RFC 7208

SPF

Sender Policy Framework

RFC 6376

DKIM

DomainKeys Identified Mail

RFC 7489

DMARC

Domain-based Message Authentication

RFC 4033/4034/4035

DNSSEC

DNS Security Extensions

RFC 8461

MTA-STS

Mail Transfer Agent Strict Transport Security

RFC 9495

BIMI

Brand Indicators for Message Identification

RFC 6698

DANE/TLSA

DNS-Based Authentication of Named Entities

RFC 8659

CAA

Certification Authority Authorization

RFC 9116

security.txt

A File Format to Aid in Security Vulnerability Disclosure

RFC 6797

HSTS

HTTP Strict Transport Security

Scope

What IntoDNS Does NOT Do

Transparency matters. Here is what falls outside the scope of IntoDNS.ai.

We do NOT perform penetration testing or vulnerability scanning

We do NOT test email content or spam scoring

We do NOT guarantee email deliverability

We do NOT access or store email messages

We only analyze publicly available DNS records and HTTP headers

AI Analysis

AI-Powered Analysis

Explanations are generated by Claude AI from Anthropic. When you request an explanation for a scan finding, the AI interprets the technical results and provides a plain-English breakdown of what the issue means and why it matters.

The AI also generates ready-to-use DNS record configurations as fix suggestions. These are formatted for direct use with common DNS providers and hosting panels.

The AI does not make decisions. It helps you understand what needs fixing and provides the configuration to fix it. You remain in control of your DNS records.

Ready to Scan Your Domain?

IntoDNS.ai focuses on DNS and email security. For comprehensive web application security scanning including OWASP Top 10, SSL/TLS analysis, and vulnerability detection, try our full SecurityScan platform.