DNS & Email Security Report for dmarcian.com

An automated analysis of dmarcian.com's DNS configuration, email authentication (SPF, DKIM, DMARC), DNSSEC chain, IPv6 readiness, and transport security. Last analyzed June 10, 2026.

C79/100
Average

Adequate security, improvements recommended

Overall security score: 79/100 · Grade C (Average)

This report is a cached snapshot

DNS changes frequently. Run a fresh, interactive scan of dmarcian.com for live records, propagation, and deep checks.

Run a fresh live scan

Detailed check results

DNS

73%warning
  • A record presentcritical

    2 A record(s) found

  • AAAA record presentrecommended

    No AAAA records

  • MX records presentrecommended

    4 MX record(s) found

  • NS records presentcritical

    4 NS record(s) found

  • SOA record presentcritical

    SOA record found

  • Multiple nameserversrecommended

    4 nameservers configured ✓

  • SOA serial formatinfo

    Serial 12 (valid, managed DNS format)

  • SOA timers validinfo

    Refresh: 21600s ✓, Retry: 3600s ✓, Expire: 259200s ✗. Expire should be 604800-2419200s (1-4 weeks)

  • No lame nameserversinfo

    4 NS all responding ✓

  • Glue records presentinfo

    No glue needed

  • WWW record configuredinfo

    CNAME: 1jc8z3g48onw.wpeproxy.com

  • MX servers have PTR recordsinfo

    0/8 MX IPs have PTR. Configure reverse DNS for your mail servers

  • MX servers have FCrDNSinfo

    0/8 MX IPs have FCrDNS. PTR hostnames must resolve back to the original IP.

DNSSEC

93%pass
  • DNSSEC signedrecommended

    DNSSEC is enabled ✓

  • DNSSEC validation OKcritical

    DNSSEC validates correctly ✓

  • NSEC3 RFC 9276 compliantrecommended

    NSEC3 not RFC 9276 compliant: iterations=1 (must be 0), salt="1e88270bb0072e63" (must be empty). Modern resolvers may reject this zone

  • RRSIG signatures validrecommended

    RRSIG signatures valid, earliest expiry in 20 days ✓

  • Modern DNSSEC algorithmoptional

    RSA/SHA-256 (algorithm 8) — acceptable ✓

  • DS digest algorithm modernrecommended

    DS digest: SHA-256 — modern ✓

  • DNSKEY algorithm secureoptional

    DNSKEY: RSA/SHA-256 — acceptable, consider ECDSA (13) or Ed25519 (15)

  • RRSIG TTL saferecommended

    Record TTLs do not exceed RRSIG validity periods ✓

  • Chain of trust completecritical

    Complete chain: DNSKEY + DS + RRSIG ✓

IPv6

60%warning
  • Website reachable via IPv6recommended

    No IPv6 for website. Add AAAA record pointing to your IPv6 address

  • Mail servers reachable via IPv6recommended

    4/4 MX server(s) with IPv6 ✓

  • Nameservers reachable via IPv6recommended

    4/4 NS server(s) with IPv6 ✓

Email security

95%pass
  • SPF record presentcritical

    v=spf1 include:_spf.google.com -all

  • SPF syntax validcritical

    SPF syntax is correct ✓

  • SPF policy strict (-all)recommended

    SPF uses -all (hard fail) ✓

  • DKIM foundrecommended

    DKIM selector: k1 ✓

  • DMARC record presentrecommended

    v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected];

  • DMARC policy quarantine or betterrecommended

    DMARC policy: reject ✓

  • DMARC policy rejectoptional

    DMARC policy: reject ✓

  • BIMI record presentoptional

    BIMI logo: https://dmarcian.com/wp-content/themes/_dmarcian/img/bimi/dm_bimi.svg

  • BIMI configuration validoptional

    BIMI correctly configured ✓

  • MTA-STS record presentoptional

    MTA-STS configured ✓

  • MTA-STS policy enforcedoptional

    MTA-STS mode: testing. Set mode: enforce for full protection

  • MX records validcritical

    4 MX record(s) ✓

  • MX domains use DNSSECrecommended

    1/1 MX domain(s) use DNSSEC ✓

  • MX DNSSEC validation OKrecommended

    MX DNSSEC validates correctly ✓

  • Mail servers not blacklistedcritical

    1 MX server(s) checked against 16 blacklists - clean ✓

  • No critical blacklist listingscritical

    No blacklist listings ✓

Web security

63%warning
  • CAA records presentrecommended

    No CAA records. Add CAA record to specify allowed certificate authorities

  • CAA policy strictoptional

    CAA not strict. Add CAA 0 issue "letsencrypt.org" (or your CA) to restrict issuance

  • TLSA records (DANE)optional

    No TLSA/DANE records. Add TLSA at _25._tcp.mail for DANE email encryption

  • DANE configuration validoptional

    No DANE configured

  • No sensitive info in TXTcritical

    No sensitive data leaked ✓

  • Verification records reviewedinfo

    4 verification record(s): Google, Have I Been Pwned, Apple, Microsoft 365. Consider if all are still needed

  • HTTPS availablecritical

    HTTPS working (status 200) ✓

  • Valid certificatecritical

    Certificate chain is valid and trusted ✓

  • HTTP redirects to HTTPScritical

    HTTP automatically redirects to HTTPS ✓

  • HSTS enabledrecommended

    No HSTS header. Add Strict-Transport-Security header with max-age of at least 31536000 (1 year)

  • HSTS max-age >= 1 yearoptional

    HSTS not enabled

  • X-Frame-Options headerrecommended

    X-Frame-Options: DENY ✓

  • X-Content-Type-Options headerrecommended

    X-Content-Type-Options: nosniff ✓

  • Content-Security-Policy headerrecommended

    Content-Security-Policy configured ✓

  • Referrer-Policy headerrecommended

    Referrer-Policy: no-referrer-when-downgrade ✓

  • security.txt presentoptional

    security.txt found

  • security.txt validoptional

    security.txt missing required fields. Must have Contact: and Expires: per RFC 9116

  • HTTP/3 (QUIC) supportedoptional

    HTTP/3 (QUIC v1) on port 443 Detection methods: QUIC probe: QUIC v1 (RFC 9000) (8ms) Alt-Svc header: h3=":443" Cache: 24h (ma=86400)

  • QUIC UDP reachableoptional

    QUIC reachable on UDP/443 (8ms) — QUIC v1 (RFC 9000) ✓

  • HTTPS DNS record (SVCB)optional

    No HTTPS DNS record (type 65). Add HTTPS record for faster HTTP/3 discovery: dmarcian.com IN HTTPS 1 . alpn="h3,h2"

Issues found (4)

Mail server reverse DNS missing

One or more MX server IPs do not have a PTR record. Mail receivers treat missing reverse DNS as a deliverability risk.

Learn more

NSEC3 parameters not RFC 9276 compliant

NSEC3 iterations must be 0 and salt must be empty per RFC 9276. Modern resolvers (Unbound 1.19+, BIND 9.19+) may treat your zone as insecure

Learn more

No IPv6 (AAAA) records

Your domain is not reachable via IPv6. IPv6 is becoming increasingly important

Learn more

No CAA records

CAA records determine which Certificate Authorities may issue SSL certificates

Learn more

Recommendations (3)

Configure reverse DNS for mail servers

Ask the owner of each mail server IP address to set a PTR record, for example 203.0.113.10 -> mail.yourdomain.com.

Impact: Improves mail-server trust signals and reduces deliverability risk

Add IPv6 support

Request AAAA records from your hosting provider for your website. IPv6 is becoming increasingly important.

Impact: Makes your website accessible to IPv6-only networks

Add CAA records

Define which Certificate Authorities may issue SSL certificates, for example: "0 issue letsencrypt.org"

Impact: Prevents unauthorized certificate issuance

About this report

IntoDNS.AI evaluates dmarcian.com against DNS hygiene, email authentication, and transport-security best practices, scoring each check and rolling them up into an overall grade. Results reflect public DNS as observed on June 10, 2026 and may differ from a live scan if the domain has since changed its configuration.

Want to check your own domain? Scan any domain on the homepage.

Last analyzed: June 10, 2026 · Google Public DNS