DNS & Email Security Report for atlassian.com
An automated analysis of atlassian.com's DNS configuration, email authentication (SPF, DKIM, DMARC), DNSSEC chain, IPv6 readiness, and transport security. Last analyzed June 10, 2026.
Weak security, action needed
Overall security score: 67/100 · Grade D (Poor)
This report is a cached snapshot
DNS changes frequently. Run a fresh, interactive scan of atlassian.com for live records, propagation, and deep checks.
Detailed check results
DNS
- A record presentcritical
4 A record(s) found
- AAAA record presentrecommended
No AAAA records
- MX records presentrecommended
2 MX record(s) found
- NS records presentcritical
4 NS record(s) found
- SOA record presentcritical
SOA record found
- Multiple nameserversrecommended
4 nameservers configured ✓
- SOA serial formatinfo
Serial 1 (valid, managed DNS format)
- SOA timers validinfo
Refresh: 7200s ✓, Retry: 900s ✓, Expire: 1209600s ✓
- No lame nameserversinfo
4 NS all responding ✓
- Glue records presentinfo
No glue needed
- WWW record configuredinfo
A: 13.227.180.4
- MX servers have PTR recordsinfo
1 MX IPs all have PTR records ✓
- MX servers have FCrDNSinfo
1 MX IPs have forward-confirmed reverse DNS ✓
DNSSEC
- DNSSEC signedrecommended
DNSSEC is enabled ✓
- DNSSEC validation OKcritical
DNSSEC validation failed! Check DS records at registrar match DNSKEY at nameserver
- NSEC3 RFC 9276 compliantrecommended
Not applicable (domain uses NSEC or is not DNSSEC-signed)
- RRSIG signatures validrecommended
RRSIG signature expires in 0 days — renewal needed
- Modern DNSSEC algorithmoptional
ECDSA P-256 (algorithm 13) — modern ✓
- DS digest algorithm modernrecommended
Not applicable (no DS records or DNSSEC not enabled)
- DNSKEY algorithm secureoptional
DNSKEY: ECDSA P-256 — modern ✓
- RRSIG TTL saferecommended
A TTL (60s) exceeds RRSIG validity (0d). Cached records may outlive signatures
- Chain of trust completecritical
Incomplete chain: missing DS. All three (DNSKEY + DS + RRSIG) are needed for full DNSSEC
IPv6
- Website reachable via IPv6recommended
No IPv6 for website. Add AAAA record pointing to your IPv6 address
- Mail servers reachable via IPv6recommended
0/2 MX servers have IPv6. Add AAAA records for your mail servers
- Nameservers reachable via IPv6recommended
4/4 NS server(s) with IPv6 ✓
Email security
- SPF record presentcritical
v=spf1 ip4:54.85.255.245 ip4:54.241.191.3 include:_spf.google.com include:cust-spf.exacttarget.com include:spf-001d9801.pphosted.com include:amazonses.com include:spf1.atlassian.com include:spf3.atlassian.com ip4:54.71.147.74 ip4:54.71.63.106 ip4:54.70.13.32 ~all
- SPF syntax validcritical
SPF syntax is correct ✓
- SPF policy strict (-all)recommended
SPF uses ~all or ?all. Change to -all for strict enforcement
- DKIM foundrecommended
DKIM selector: s1 ✓
- DMARC record presentrecommended
v=DMARC1; p=reject; fo=1; pct=100; adkim=r; aspf=r; rua=mailto:[email protected],mailto:[email protected]; ruf=mailto:[email protected],mailto:[email protected]
- DMARC policy quarantine or betterrecommended
DMARC policy: reject ✓
- DMARC policy rejectoptional
DMARC policy: reject ✓
- BIMI record presentoptional
BIMI logo: https://vmc.digicert.com/ad1c2acd-2d54-462c-a78d-57351f374742.svg
- BIMI configuration validoptional
BIMI correctly configured ✓
- MTA-STS record presentoptional
No MTA-STS. Add TXT at _mta-sts and host policy at /.well-known/mta-sts.txt
- MTA-STS policy enforcedoptional
MTA-STS not configured
- MX records validcritical
2 MX record(s) ✓
- MX domains use DNSSECrecommended
1/1 MX domain(s) use DNSSEC ✓
- MX DNSSEC validation OKrecommended
MX DNSSEC validates correctly ✓
- Mail servers not blacklistedcritical
1 MX server(s) checked against 16 blacklists - clean ✓
- No critical blacklist listingscritical
No blacklist listings ✓
Web security
- CAA records presentrecommended
10 CAA record(s) ✓
- CAA policy strictoptional
CAA limits certificate authorities ✓
- TLSA records (DANE)optional
No TLSA/DANE records. Add TLSA at _25._tcp.mail for DANE email encryption
- DANE configuration validoptional
No DANE configured
- No sensitive info in TXTcritical
No sensitive data leaked ✓
- Verification records reviewedinfo
14 verification records found (Stripe, Amazon SES, Atlassian, Google, DocuSign...). Review these - they reveal your tech stack to attackers. Remove unused service verifications
- HTTPS availablecritical
HTTPS working (status 403) ✓
- Valid certificatecritical
Certificate chain is valid and trusted ✓
- HTTP redirects to HTTPScritical
HTTP automatically redirects to HTTPS ✓
- HSTS enabledrecommended
HSTS enabled (max-age=31536000, preload) ✓
- HSTS max-age >= 1 yearoptional
max-age=31536000 (≥1 year) ✓
- X-Frame-Options headerrecommended
X-Frame-Options: DENY ✓
- X-Content-Type-Options headerrecommended
X-Content-Type-Options: nosniff ✓
- Content-Security-Policy headerrecommended
No Content-Security-Policy header. Add CSP to prevent XSS and other injection attacks
- Referrer-Policy headerrecommended
No Referrer-Policy header. Add Referrer-Policy: strict-origin-when-cross-origin
- security.txt presentoptional
No security.txt. Create /.well-known/security.txt with Contact and Expires fields (RFC 9116)
- security.txt validoptional
No security.txt configured
- HTTP/3 (QUIC) supportedoptional
HTTP/3 (QUIC v1) on port 443 Detection methods: QUIC probe: inconclusive (no reply — trigger may be dropped or UDP/443 filtered) Alt-Svc header: h3=":443" Cache: 24h (ma=86400)
- QUIC UDP reachableinfo
QUIC probe inconclusive (no reply — trigger may be dropped or UDP/443 filtered). Not a negative signal; h3 is judged from Alt-Svc / HTTPS record
- HTTPS DNS record (SVCB)optional
HTTPS record found but no h3 ALPN (h2)
Issues found (6)
DNSSEC validation fails
DNSSEC is configured but validation fails. This can make your domain unreachable!
Learn moreRecord TTL exceeds RRSIG validity
Some DNS record TTLs are longer than their RRSIG signature validity. Cached records may outlive their signatures, causing validation failures
Learn moreDNSSEC chain of trust incomplete
The DNSSEC chain requires DNSKEY, DS, and RRSIG records to be present. Missing components break the chain of trust
Learn moreNo IPv6 (AAAA) records
Your domain is not reachable via IPv6. IPv6 is becoming increasingly important
Learn moreExcessive verification TXT records
Your domain has many third-party verification records. These reveal your tech stack to potential attackers (reconnaissance). Review and remove unused verifications
Learn moreRecommendations (4)
Fix DNSSEC validation
Your DNSSEC configuration is incorrect. Check the DS records with your registrar and DNSKEY records in your zone. This is CRITICAL!
Impact: Your domain may become unreachable for users who validate DNSSEC
Add IPv6 support
Request AAAA records from your hosting provider for your website. IPv6 is becoming increasingly important.
Impact: Makes your website accessible to IPv6-only networks
IPv6 for mail servers
Add AAAA records for your MX servers to support email via IPv6.
Impact: Improves email reachability for IPv6 networks
Review verification TXT records
Your domain has many third-party verification records that reveal your tech stack (Google, Microsoft, Atlassian, etc.). Review each one: 1) Remove records for services no longer used 2) Consider if each service really needs domain verification 3) Use a subdomain for less critical services. This is an information disclosure issue - attackers can map your SaaS footprint.
Impact: Reduces reconnaissance surface and limits attacker knowledge of your infrastructure
About this report
IntoDNS.AI evaluates atlassian.com against DNS hygiene, email authentication, and transport-security best practices, scoring each check and rolling them up into an overall grade. Results reflect public DNS as observed on June 10, 2026 and may differ from a live scan if the domain has since changed its configuration.
Want to check your own domain? Scan any domain on the homepage.
Last analyzed: June 10, 2026 · Google Public DNS