DNS & Email Security Report for censys.io

• A record presentcritical

  2 A record(s) found

• AAAA record presentrecommended

  2 AAAA record(s) found

• MX records presentrecommended

  5 MX record(s) found

• NS records presentcritical

  2 NS record(s) found

• SOA record presentcritical

  SOA record found

• Multiple nameserversrecommended

  2 nameservers configured ✓

• SOA serial formatinfo

  Serial 2406525922 (valid, managed DNS format)

• SOA timers validinfo

  Refresh: 10000s ✓, Retry: 2400s ✓, Expire: 604800s ✓

• No lame nameserversinfo

  2 NS all responding ✓

• Glue records presentinfo

  No glue needed

• WWW record configuredinfo

  A record matches apex

• MX servers have PTR recordsinfo

  10 MX IPs all have PTR records ✓

• MX servers have FCrDNSinfo

  10 MX IPs have forward-confirmed reverse DNS ✓

• DNSSEC signedrecommended

  DNSSEC not configured. Enable DNSSEC at your domain registrar to protect against DNS spoofing

• DNSSEC validation OKcritical

  Not applicable (DNSSEC not enabled)

• NSEC3 RFC 9276 compliantrecommended

  Not applicable (domain uses NSEC or is not DNSSEC-signed)

• RRSIG signatures validrecommended

  Not applicable (DNSSEC not enabled)

• Modern DNSSEC algorithmoptional

  Not applicable (DNSSEC not enabled)

• DS digest algorithm modernrecommended

  Not applicable (no DS records or DNSSEC not enabled)

• DNSKEY algorithm secureoptional

  Not applicable (DNSSEC not enabled)

• RRSIG TTL saferecommended

  Not applicable (DNSSEC not enabled or no RRSIG data)

• Chain of trust completecritical

  DNSSEC not enabled

• Website reachable via IPv6recommended

  2 AAAA record(s) ✓

• Mail servers reachable via IPv6recommended

  5/5 MX server(s) with IPv6 ✓

• Nameservers reachable via IPv6recommended

  2/2 NS server(s) with IPv6 ✓

• SPF record presentcritical

  v=spf1 include:_spf.google.com include:mail.zendesk.com include:sendgrid.net include:spf.mandrillapp.com include:mktomail.com ~all

• SPF syntax validcritical

  SPF syntax is correct ✓

• SPF policy strict (-all)recommended

  SPF uses ~all or ?all. Change to -all for strict enforcement

• DKIM foundrecommended

  DKIM selector: s1 ✓

• DMARC record presentrecommended

  v=DMARC1; p=none; rua=mailto:[email protected],mailto:[email protected]

• DMARC policy quarantine or betterrecommended

  DMARC policy: none. Set p=quarantine or p=reject

• DMARC policy rejectoptional

  DMARC policy: none. Set p=reject for maximum protection

• BIMI record presentoptional

  No BIMI record. Add TXT at default._bimi with logo URL (requires DMARC p=quarantine+)

• BIMI configuration validoptional

  No BIMI configured

• MTA-STS record presentoptional

  No MTA-STS. Add TXT at _mta-sts and host policy at /.well-known/mta-sts.txt

• MTA-STS policy enforcedoptional

  MTA-STS not configured

• MX records validcritical

  5 MX record(s) ✓

• MX domains use DNSSECrecommended

  0/1 MX domain(s) have DNSSEC. Ask your mail provider to enable DNSSEC

• MX DNSSEC validation OKrecommended

  DNSSEC not enabled for MX domains

• Mail servers not blacklistedcritical

  1 MX server(s) checked against 16 blacklists - clean ✓

• No critical blacklist listingscritical

  No blacklist listings ✓

• CAA records presentrecommended

  14 CAA record(s) ✓

• CAA policy strictoptional

  CAA limits certificate authorities ✓

• TLSA records (DANE)optional

  No TLSA/DANE records. Add TLSA at _25._tcp.mail for DANE email encryption

• DANE configuration validoptional

  No DANE configured

• No sensitive info in TXTcritical

  No sensitive data leaked ✓

• Verification records reviewedinfo

  8 verification records found (Adobe IDP, Miro, Zoom, Google, DocuSign...). Review these - they reveal your tech stack to attackers. Remove unused service verifications

• HTTPS availablecritical

  HTTPS working (status 200) ✓

• Valid certificatecritical

  Certificate chain is valid and trusted ✓

• HTTP redirects to HTTPScritical

  HTTP automatically redirects to HTTPS ✓

• HSTS enabledrecommended

  HSTS enabled (max-age=31536000, includeSubDomains) ✓

• HSTS max-age >= 1 yearoptional

  max-age=31536000 (≥1 year) ✓

• X-Frame-Options headerrecommended

  X-Frame-Options: SAMEORIGIN ✓

• X-Content-Type-Options headerrecommended

  X-Content-Type-Options: nosniff ✓

• Content-Security-Policy headerrecommended

  No Content-Security-Policy header. Add CSP to prevent XSS and other injection attacks

• Referrer-Policy headerrecommended

  Referrer-Policy: strict-origin-when-cross-origin ✓

• security.txt presentoptional

  No security.txt. Create /.well-known/security.txt with Contact and Expires fields (RFC 9116)

• security.txt validoptional

  No security.txt configured

• HTTP/3 (QUIC) supportedoptional

  HTTP/3 (QUIC v1) on port 443 Detection methods: QUIC probe: QUIC v1 (RFC 9000) (7ms) Alt-Svc header: h3=":443" Cache: 24h (ma=86400)

• QUIC UDP reachableoptional

  QUIC reachable on UDP/443 (7ms) — QUIC v1 (RFC 9000) ✓

• HTTPS DNS record (SVCB)optional

  HTTPS record found but no h3 ALPN (h2)

Implement DNSSEC

Activate DNSSEC with your domain registrar and add the DS records to your parent zone. This protects against DNS spoofing attacks.

Impact: Significantly increases security and prevents DNS manipulation

Strengthen DMARC policy

Change your DMARC policy from "none" to "quarantine" or "reject" for better protection.

Impact: Increases email security and prevents abuse

Review verification TXT records

Your domain has many third-party verification records that reveal your tech stack (Google, Microsoft, Atlassian, etc.). Review each one: 1) Remove records for services no longer used 2) Consider if each service really needs domain verification 3) Use a subdomain for less critical services. This is an information disclosure issue - attackers can map your SaaS footprint.

Impact: Reduces reconnaissance surface and limits attacker knowledge of your infrastructure