DNS & Email Security Report for cloudflare.com

An automated analysis of cloudflare.com's DNS configuration, email authentication (SPF, DKIM, DMARC), DNSSEC chain, IPv6 readiness, and transport security. Last analyzed June 10, 2026.

A92/100
Very Good

Strong security posture

Overall security score: 92/100 · Grade A (Very Good)

This report is a cached snapshot

DNS changes frequently. Run a fresh, interactive scan of cloudflare.com for live records, propagation, and deep checks.

Run a fresh live scan

Detailed check results

DNS

100%pass
  • A record presentcritical

    2 A record(s) found

  • AAAA record presentrecommended

    2 AAAA record(s) found

  • MX records presentrecommended

    4 MX record(s) found

  • NS records presentcritical

    5 NS record(s) found

  • SOA record presentcritical

    SOA record found

  • Multiple nameserversrecommended

    5 nameservers configured ✓

  • SOA serial formatinfo

    Serial 2406475289 (valid, managed DNS format)

  • SOA timers validinfo

    Refresh: 10000s ✓, Retry: 2400s ✓, Expire: 604800s ✓

  • No lame nameserversinfo

    5 NS all responding ✓

  • Glue records presentinfo

    20 glue record(s)

  • WWW record configuredinfo

    A: 104.16.124.96

  • MX servers have PTR recordsinfo

    0/3 MX IPs have PTR. Configure reverse DNS for your mail servers

  • MX servers have FCrDNSinfo

    0/3 MX IPs have FCrDNS. PTR hostnames must resolve back to the original IP.

DNSSEC

100%pass
  • DNSSEC signedrecommended

    DNSSEC is enabled ✓

  • DNSSEC validation OKcritical

    DNSSEC validates correctly ✓

  • NSEC3 RFC 9276 compliantrecommended

    Not applicable (domain uses NSEC or is not DNSSEC-signed)

  • RRSIG signatures validrecommended

    RRSIG signature expires in 1 days — renewal needed

  • Modern DNSSEC algorithmoptional

    ECDSA P-256 (algorithm 13) — modern ✓

  • DS digest algorithm modernrecommended

    DS digest: SHA-256 — modern ✓

  • DNSKEY algorithm secureoptional

    DNSKEY: ECDSA P-256 — modern ✓

  • RRSIG TTL saferecommended

    Record TTLs do not exceed RRSIG validity periods ✓

  • Chain of trust completecritical

    Complete chain: DNSKEY + DS + RRSIG ✓

IPv6

70%warning
  • Website reachable via IPv6recommended

    2 AAAA record(s) ✓

  • Mail servers reachable via IPv6recommended

    0/4 MX servers have IPv6. Add AAAA records for your mail servers

  • Nameservers reachable via IPv6recommended

    5/5 NS server(s) with IPv6 ✓

Email security

93%pass
  • SPF record presentcritical

    v=spf1 ip4:199.15.212.0/22 ip4:173.245.48.0/20 include:_spf.google.com include:spf1.mcsv.net include:spf.mandrillapp.com include:mail.zendesk.com include:stspg-customer.com include:_spf.salesforce.com -all

  • SPF syntax validcritical

    SPF syntax is correct ✓

  • SPF policy strict (-all)recommended

    SPF uses -all (hard fail) ✓

  • DKIM foundrecommended

    DKIM selector: k1 ✓

  • DMARC record presentrecommended

    v=DMARC1; p=reject; pct=100; rua=mailto:[email protected],mailto:[email protected]

  • DMARC policy quarantine or betterrecommended

    DMARC policy: reject ✓

  • DMARC policy rejectoptional

    DMARC policy: reject ✓

  • BIMI record presentoptional

    BIMI logo: https://www.cloudflare.com/cloudflare_1171114652.svg

  • BIMI configuration validoptional

    BIMI correctly configured ✓

  • MTA-STS record presentoptional

    No MTA-STS. Add TXT at _mta-sts and host policy at /.well-known/mta-sts.txt

  • MTA-STS policy enforcedoptional

    MTA-STS not configured

  • MX records validcritical

    4 MX record(s) ✓

  • MX domains use DNSSECrecommended

    1/1 MX domain(s) use DNSSEC ✓

  • MX DNSSEC validation OKrecommended

    MX DNSSEC validates correctly ✓

  • Mail servers not blacklistedcritical

    1 MX server(s) checked against 16 blacklists - clean ✓

  • No critical blacklist listingscritical

    No blacklist listings ✓

Web security

96%pass
  • CAA records presentrecommended

    11 CAA record(s) ✓

  • CAA policy strictoptional

    CAA limits certificate authorities ✓

  • TLSA records (DANE)optional

    10 DANE record(s) - configured according to best practices

  • DANE configuration validoptional

    DANE records meet best practices ✓

  • No sensitive info in TXTcritical

    No sensitive data leaked ✓

  • Verification records reviewedinfo

    11 verification records found (Zoom, Stripe, Google, Miro, Microsoft 365...). Review these - they reveal your tech stack to attackers. Remove unused service verifications

  • HTTPS availablecritical

    HTTPS working (status 200) ✓

  • Valid certificatecritical

    Certificate chain is valid and trusted ✓

  • HTTP redirects to HTTPScritical

    HTTP automatically redirects to HTTPS ✓

  • HSTS enabledrecommended

    HSTS enabled (max-age=31536000, includeSubDomains) ✓

  • HSTS max-age >= 1 yearoptional

    max-age=31536000 (≥1 year) ✓

  • X-Frame-Options headerrecommended

    X-Frame-Options: SAMEORIGIN ✓

  • X-Content-Type-Options headerrecommended

    X-Content-Type-Options: nosniff ✓

  • Content-Security-Policy headerrecommended

    Content-Security-Policy configured ✓

  • Referrer-Policy headerrecommended

    Referrer-Policy: strict-origin-when-cross-origin ✓

  • security.txt presentoptional

    Contact: https://www.cloudflare.com/abuse/

  • security.txt validoptional

    security.txt missing required fields. Must have Contact: and Expires: per RFC 9116

  • HTTP/3 (QUIC) supportedoptional

    HTTP/3 (QUIC v1) on port 443 Detection methods: QUIC probe: QUIC v1 (RFC 9000) (9ms) Alt-Svc header: h3=":443" Cache: 24h (ma=86400) HTTPS DNS record: alpn="h3, h2"

  • QUIC UDP reachableoptional

    QUIC reachable on UDP/443 (9ms) — QUIC v1 (RFC 9000) ✓

  • HTTPS DNS record (SVCB)optional

    HTTPS record advertises h3, h2 ✓

Issues found (3)

Mail server reverse DNS missing

One or more MX server IPs do not have a PTR record. Mail receivers treat missing reverse DNS as a deliverability risk.

Learn more

Mail servers have no IPv6

Your mail servers are not reachable via IPv6

Learn more

Excessive verification TXT records

Your domain has many third-party verification records. These reveal your tech stack to potential attackers (reconnaissance). Review and remove unused verifications

Learn more

Recommendations (3)

Configure reverse DNS for mail servers

Ask the owner of each mail server IP address to set a PTR record, for example 203.0.113.10 -> mail.yourdomain.com.

Impact: Improves mail-server trust signals and reduces deliverability risk

IPv6 for mail servers

Add AAAA records for your MX servers to support email via IPv6.

Impact: Improves email reachability for IPv6 networks

Review verification TXT records

Your domain has many third-party verification records that reveal your tech stack (Google, Microsoft, Atlassian, etc.). Review each one: 1) Remove records for services no longer used 2) Consider if each service really needs domain verification 3) Use a subdomain for less critical services. This is an information disclosure issue - attackers can map your SaaS footprint.

Impact: Reduces reconnaissance surface and limits attacker knowledge of your infrastructure

About this report

IntoDNS.AI evaluates cloudflare.com against DNS hygiene, email authentication, and transport-security best practices, scoring each check and rolling them up into an overall grade. Results reflect public DNS as observed on June 10, 2026 and may differ from a live scan if the domain has since changed its configuration.

Want to check your own domain? Scan any domain on the homepage.

Last analyzed: June 10, 2026 · Google Public DNS