DNS & Email Security Report for apple.com

• A record presentcritical

  1 A record(s) found

• AAAA record presentrecommended

  1 AAAA record(s) found

• MX records presentrecommended

  6 MX record(s) found

• NS records presentcritical

  4 NS record(s) found

• SOA record presentcritical

  SOA record found

• Multiple nameserversrecommended

  4 nameservers configured ✓

• SOA serial formatinfo

  Serial 2026061001 (YYYYMMDDnn format)

• SOA timers validinfo

  Refresh: 300s ✗, Retry: 300s ✓, Expire: 3628800s ✗. Refresh should be 1200-43200s (20min-12h). Expire should be 604800-2419200s (1-4 weeks)

• No lame nameserversinfo

  4 NS all responding ✓

• Glue records presentinfo

  8 glue record(s)

• WWW record configuredinfo

  CNAME: www-apple-com.v.aaplimg.com

• MX servers have PTR recordsinfo

  5 MX IPs all have PTR records ✓

• MX servers have FCrDNSinfo

  5 MX IPs have forward-confirmed reverse DNS ✓

• DNSSEC signedrecommended

  DNSSEC not configured. Enable DNSSEC at your domain registrar to protect against DNS spoofing

• DNSSEC validation OKcritical

  Not applicable (DNSSEC not enabled)

• NSEC3 RFC 9276 compliantrecommended

  Not applicable (domain uses NSEC or is not DNSSEC-signed)

• RRSIG signatures validrecommended

  Not applicable (DNSSEC not enabled)

• Modern DNSSEC algorithmoptional

  Not applicable (DNSSEC not enabled)

• DS digest algorithm modernrecommended

  Not applicable (no DS records or DNSSEC not enabled)

• DNSKEY algorithm secureoptional

  Not applicable (DNSSEC not enabled)

• RRSIG TTL saferecommended

  Not applicable (DNSSEC not enabled or no RRSIG data)

• Chain of trust completecritical

  DNSSEC not enabled

• Website reachable via IPv6recommended

  1 AAAA record(s) ✓

• Mail servers reachable via IPv6recommended

  0/6 MX servers have IPv6. Add AAAA records for your mail servers

• Nameservers reachable via IPv6recommended

  4/4 NS server(s) with IPv6 ✓

• SPF record presentcritical

  v=spf1 include:_spf.apple.com include:_spf-txn.apple.com ~all

• SPF syntax validcritical

  SPF syntax is correct ✓

• SPF policy strict (-all)recommended

  SPF uses ~all or ?all. Change to -all for strict enforcement

• DKIM foundrecommended

  DKIM selector: selector1 ✓

• DMARC record presentrecommended

  v=DMARC1; p=quarantine; sp=reject; rua=mailto:[email protected]; ruf=mailto:[email protected];

• DMARC policy quarantine or betterrecommended

  DMARC policy: quarantine ✓

• DMARC policy rejectoptional

  DMARC policy: quarantine. Set p=reject for maximum protection

• BIMI record presentoptional

  BIMI logo: https://www.apple.com/bimi/v2/apple.svg

• BIMI configuration validoptional

  BIMI correctly configured ✓

• MTA-STS record presentoptional

  No MTA-STS. Add TXT at _mta-sts and host policy at /.well-known/mta-sts.txt

• MTA-STS policy enforcedoptional

  MTA-STS not configured

• MX records validcritical

  6 MX record(s) ✓

• MX domains use DNSSECrecommended

  0/1 MX domain(s) have DNSSEC. Ask your mail provider to enable DNSSEC

• MX DNSSEC validation OKrecommended

  DNSSEC not enabled for MX domains

• Mail servers not blacklistedcritical

  1 MX server(s) checked against 16 blacklists - clean ✓

• No critical blacklist listingscritical

  No blacklist listings ✓

• CAA records presentrecommended

  3 CAA record(s) ✓

• CAA policy strictoptional

  CAA limits certificate authorities ✓

• TLSA records (DANE)optional

  No TLSA/DANE records. Add TLSA at _25._tcp.mail for DANE email encryption

• DANE configuration validoptional

  No DANE configured

• No sensitive info in TXTcritical

  No sensitive data leaked ✓

• Verification records reviewedinfo

  7 verification records found (Google, Atlassian, Webex/Cisco, Adobe IDP, Miro...). Review these - they reveal your tech stack to attackers. Remove unused service verifications

• HTTPS availablecritical

  HTTPS working (status 200) ✓

• Valid certificatecritical

  Certificate chain is valid and trusted ✓

• HTTP redirects to HTTPScritical

  HTTP automatically redirects to HTTPS ✓

• HSTS enabledrecommended

  HSTS enabled (max-age=31536000, includeSubDomains, preload) ✓

• HSTS max-age >= 1 yearoptional

  max-age=31536000 (≥1 year) ✓

• X-Frame-Options headerrecommended

  X-Frame-Options: SAMEORIGIN ✓

• X-Content-Type-Options headerrecommended

  X-Content-Type-Options: nosniff ✓

• Content-Security-Policy headerrecommended

  Content-Security-Policy configured ✓

• Referrer-Policy headerrecommended

  Referrer-Policy: no-referrer-when-downgrade ✓

• security.txt presentoptional

  Contact: https://security.apple.com

• security.txt validoptional

  security.txt has required Contact and Expires fields ✓

• HTTP/3 (QUIC) supportedoptional

  No HTTP/3 support detected No h3 in Alt-Svc header No HTTPS DNS record (type 65) QUIC probe inconclusive (Inconclusive - no QUIC reply (trigger may be dropped or UDP/443 filtered)) — not a negative signal

• QUIC UDP reachableinfo

  QUIC probe inconclusive (no reply — trigger may be dropped or UDP/443 filtered). Not a negative signal; h3 is judged from Alt-Svc / HTTPS record

• HTTPS DNS record (SVCB)optional

  No HTTPS DNS record (type 65). Add HTTPS record for faster HTTP/3 discovery: apple.com IN HTTPS 1 . alpn="h3,h2"

Implement DNSSEC

Activate DNSSEC with your domain registrar and add the DS records to your parent zone. This protects against DNS spoofing attacks.

Impact: Significantly increases security and prevents DNS manipulation

IPv6 for mail servers

Add AAAA records for your MX servers to support email via IPv6.

Impact: Improves email reachability for IPv6 networks

Review verification TXT records

Your domain has many third-party verification records that reveal your tech stack (Google, Microsoft, Atlassian, etc.). Review each one: 1) Remove records for services no longer used 2) Consider if each service really needs domain verification 3) Use a subdomain for less critical services. This is an information disclosure issue - attackers can map your SaaS footprint.

Impact: Reduces reconnaissance surface and limits attacker knowledge of your infrastructure

Enable HTTP/3 (QUIC)

Enable HTTP/3 for faster page loads and improved connection resilience. Nginx: add "listen 443 quic reuseport;" and "add_header Alt-Svc 'h3=":443"; ma=86400'". Caddy: HTTP/3 is enabled by default. Cloudflare: Enable under Speed → Protocol Optimization. Also add an HTTPS DNS record: example.com IN HTTPS 1 . alpn="h3,h2" Ensure UDP port 443 is open in your firewall (QUIC uses UDP, not TCP).

Impact: Faster page loads (0-RTT), better mobile performance, and connection migration between networks