DNS & Email Security Report for abuse.ch
An automated analysis of abuse.ch's DNS configuration, email authentication (SPF, DKIM, DMARC), DNSSEC chain, IPv6 readiness, and transport security. Last analyzed June 10, 2026.
Adequate security, improvements recommended
Overall security score: 77/100 · Grade C (Average)
This report is a cached snapshot
DNS changes frequently. Run a fresh, interactive scan of abuse.ch for live records, propagation, and deep checks.
Detailed check results
DNS
- A record presentcritical
4 A record(s) found
- AAAA record presentrecommended
No AAAA records
- MX records presentrecommended
1 MX record(s) found
- NS records presentcritical
4 NS record(s) found
- SOA record presentcritical
SOA record found
- Multiple nameserversrecommended
4 nameservers configured ✓
- SOA serial formatinfo
Serial 2 (valid, managed DNS format)
- SOA timers validinfo
Refresh: 21600s ✓, Retry: 3600s ✓, Expire: 259200s ✗. Expire should be 604800-2419200s (1-4 weeks)
- No lame nameserversinfo
4 NS all responding ✓
- Glue records presentinfo
No glue needed
- WWW record configuredinfo
CNAME: p2.shared.global.fastly.net
- MX servers have PTR recordsinfo
2 MX IPs all have PTR records ✓
- MX servers have FCrDNSinfo
1/2 MX IPs have FCrDNS. PTR hostnames must resolve back to the original IP. Examples: 2a03:b0c0:3:d0::1660:c001 -> ach-mx.abuse.ch
DNSSEC
- DNSSEC signedrecommended
DNSSEC is enabled ✓
- DNSSEC validation OKcritical
DNSSEC validates correctly ✓
- NSEC3 RFC 9276 compliantrecommended
NSEC3 not RFC 9276 compliant: iterations=1 (must be 0), salt="7cfb068b53aa9cbf" (must be empty). Modern resolvers may reject this zone
- RRSIG signatures validrecommended
RRSIG signatures valid, earliest expiry in 20 days ✓
- Modern DNSSEC algorithmoptional
RSA/SHA-256 (algorithm 8) — acceptable ✓
- DS digest algorithm modernrecommended
DS digest: SHA-256 — modern ✓
- DNSKEY algorithm secureoptional
DNSKEY: RSA/SHA-256 — acceptable, consider ECDSA (13) or Ed25519 (15)
- RRSIG TTL saferecommended
Record TTLs do not exceed RRSIG validity periods ✓
- Chain of trust completecritical
Complete chain: DNSKEY + DS + RRSIG ✓
IPv6
- Website reachable via IPv6recommended
No IPv6 for website. Add AAAA record pointing to your IPv6 address
- Mail servers reachable via IPv6recommended
1/1 MX server(s) with IPv6 ✓
- Nameservers reachable via IPv6recommended
4/4 NS server(s) with IPv6 ✓
Email security
- SPF record presentcritical
v=spf1 mx ip4:207.154.192.128 ip4:92.42.187.64 ~all
- SPF syntax validcritical
SPF syntax is correct ✓
- SPF policy strict (-all)recommended
SPF uses ~all or ?all. Change to -all for strict enforcement
- DKIM foundrecommended
No DKIM found. Configure DKIM signing with your email provider
- DMARC record presentrecommended
v=DMARC1; p=reject; sp=reject; rua=mailto:[email protected]; ruf=mailto:[email protected];
- DMARC policy quarantine or betterrecommended
DMARC policy: reject ✓
- DMARC policy rejectoptional
DMARC policy: reject ✓
- BIMI record presentoptional
No BIMI record. Add TXT at default._bimi with logo URL (requires DMARC p=quarantine+)
- BIMI configuration validoptional
No BIMI configured
- MTA-STS record presentoptional
MTA-STS configured ✓
- MTA-STS policy enforcedoptional
MTA-STS mode: enforce ✓
- MX records validcritical
1 MX record(s) ✓
- MX domains use DNSSECrecommended
1/1 MX domain(s) use DNSSEC ✓
- MX DNSSEC validation OKrecommended
MX DNSSEC validates correctly ✓
- Mail servers not blacklistedcritical
1/1 MX server(s) blacklisted: mail.abuse.ch on UCEPROTECT L3
- No critical blacklist listingscritical
No critical listings, but some servers are on blacklists
Web security
- CAA records presentrecommended
5 CAA record(s) ✓
- CAA policy strictoptional
CAA limits certificate authorities ✓
- TLSA records (DANE)optional
1 DANE record(s) - configured according to best practices
- DANE configuration validoptional
DANE records meet best practices ✓
- No sensitive info in TXTcritical
No sensitive data leaked ✓
- Verification records reviewedinfo
1 verification record(s): Google. Consider if all are still needed
- HTTPS availablecritical
HTTPS working (status 200) ✓
- Valid certificatecritical
Certificate chain is valid and trusted ✓
- HTTP redirects to HTTPScritical
HTTP automatically redirects to HTTPS ✓
- HSTS enabledrecommended
HSTS enabled (max-age=31536000, includeSubDomains, preload) ✓
- HSTS max-age >= 1 yearoptional
max-age=31536000 (≥1 year) ✓
- X-Frame-Options headerrecommended
X-Frame-Options: sameorigin ✓
- X-Content-Type-Options headerrecommended
X-Content-Type-Options: nosniff ✓
- Content-Security-Policy headerrecommended
Content-Security-Policy configured ✓
- Referrer-Policy headerrecommended
Referrer-Policy: strict-origin-when-cross-origin ✓
- security.txt presentoptional
Contact: mailto:[email protected]
- security.txt validoptional
security.txt has required Contact and Expires fields ✓
- HTTP/3 (QUIC) supportedoptional
No HTTP/3 support detected No h3 in Alt-Svc header No HTTPS DNS record (type 65) QUIC probe inconclusive (Inconclusive - no QUIC reply (trigger may be dropped or UDP/443 filtered)) — not a negative signal
- QUIC UDP reachableinfo
QUIC probe inconclusive (no reply — trigger may be dropped or UDP/443 filtered). Not a negative signal; h3 is judged from Alt-Svc / HTTPS record
- HTTPS DNS record (SVCB)optional
No HTTPS DNS record (type 65). Add HTTPS record for faster HTTP/3 discovery: abuse.ch IN HTTPS 1 . alpn="h3,h2"
Issues found (5)
Forward-confirmed reverse DNS missing
One or more MX server PTR hostnames do not resolve back to the original IP address.
Learn moreNSEC3 parameters not RFC 9276 compliant
NSEC3 iterations must be 0 and salt must be empty per RFC 9276. Modern resolvers (Unbound 1.19+, BIND 9.19+) may treat your zone as insecure
Learn moreNo IPv6 (AAAA) records
Your domain is not reachable via IPv6. IPv6 is becoming increasingly important
Learn moreNo HTTP/3 (QUIC) support
HTTP/3 uses QUIC for faster, more resilient connections. Enable it on your web server and open UDP/443 in your firewall
Learn moreRecommendations (4)
Implement DKIM
Configure DKIM signing with your email provider and publish the DKIM public key in DNS.
Impact: Improves email deliverability and prevents spoofing
Fix forward-confirmed reverse DNS
Make each mail server PTR hostname resolve back to the original IP address with an A or AAAA record. The reverse and forward DNS chain should confirm the same host.
Impact: Improves deliverability signals used by major mailbox providers
Add IPv6 support
Request AAAA records from your hosting provider for your website. IPv6 is becoming increasingly important.
Impact: Makes your website accessible to IPv6-only networks
Enable HTTP/3 (QUIC)
Enable HTTP/3 for faster page loads and improved connection resilience. Nginx: add "listen 443 quic reuseport;" and "add_header Alt-Svc 'h3=":443"; ma=86400'". Caddy: HTTP/3 is enabled by default. Cloudflare: Enable under Speed → Protocol Optimization. Also add an HTTPS DNS record: example.com IN HTTPS 1 . alpn="h3,h2" Ensure UDP port 443 is open in your firewall (QUIC uses UDP, not TCP).
Impact: Faster page loads (0-RTT), better mobile performance, and connection migration between networks
About this report
IntoDNS.AI evaluates abuse.ch against DNS hygiene, email authentication, and transport-security best practices, scoring each check and rolling them up into an overall grade. Results reflect public DNS as observed on June 10, 2026 and may differ from a live scan if the domain has since changed its configuration.
Want to check your own domain? Scan any domain on the homepage.
Last analyzed: June 10, 2026 · Google Public DNS