DNS & Email Security Report for haveibeenpwned.com
An automated analysis of haveibeenpwned.com's DNS configuration, email authentication (SPF, DKIM, DMARC), DNSSEC chain, IPv6 readiness, and transport security. Last analyzed June 10, 2026.
Adequate security, improvements recommended
Overall security score: 83/100 · Grade C (Average)
This report is a cached snapshot
DNS changes frequently. Run a fresh, interactive scan of haveibeenpwned.com for live records, propagation, and deep checks.
Detailed check results
DNS
- A record presentcritical
2 A record(s) found
- AAAA record presentrecommended
2 AAAA record(s) found
- MX records presentrecommended
2 MX record(s) found
- NS records presentcritical
2 NS record(s) found
- SOA record presentcritical
SOA record found
- Multiple nameserversrecommended
2 nameservers configured ✓
- SOA serial formatinfo
Serial 2405320962 (valid, managed DNS format)
- SOA timers validinfo
Refresh: 10000s ✓, Retry: 2400s ✓, Expire: 604800s ✓
- No lame nameserversinfo
2 NS all responding ✓
- Glue records presentinfo
No glue needed
- WWW record configuredinfo
A record matches apex
- MX servers have PTR recordsinfo
2 MX IPs all have PTR records ✓
- MX servers have FCrDNSinfo
2 MX IPs have forward-confirmed reverse DNS ✓
DNSSEC
- DNSSEC signedrecommended
DNSSEC is enabled ✓
- DNSSEC validation OKcritical
DNSSEC validates correctly ✓
- NSEC3 RFC 9276 compliantrecommended
Not applicable (domain uses NSEC or is not DNSSEC-signed)
- RRSIG signatures validrecommended
RRSIG signature expires in 1 days — renewal needed
- Modern DNSSEC algorithmoptional
ECDSA P-256 (algorithm 13) — modern ✓
- DS digest algorithm modernrecommended
DS digest: SHA-256 — modern ✓
- DNSKEY algorithm secureoptional
DNSKEY: ECDSA P-256 — modern ✓
- RRSIG TTL saferecommended
Record TTLs do not exceed RRSIG validity periods ✓
- Chain of trust completecritical
Complete chain: DNSKEY + DS + RRSIG ✓
IPv6
- Website reachable via IPv6recommended
2 AAAA record(s) ✓
- Mail servers reachable via IPv6recommended
0/2 MX servers have IPv6. Add AAAA records for your mail servers
- Nameservers reachable via IPv6recommended
2/2 NS server(s) with IPv6 ✓
Email security
- SPF record presentcritical
v=spf1 include:mailgun.org include:sendgrid.net include:mail.zendesk.com -all
- SPF syntax validcritical
SPF syntax is correct ✓
- SPF policy strict (-all)recommended
SPF uses -all (hard fail) ✓
- DKIM foundrecommended
DKIM selector: s1 ✓
- DMARC record presentrecommended
v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; aspf=r; adkim=r
- DMARC policy quarantine or betterrecommended
DMARC policy: reject ✓
- DMARC policy rejectoptional
DMARC policy: reject ✓
- BIMI record presentoptional
BIMI logo: https://haveibeenpwned.com/Content/Images/HIBPThumbnailLogo.svg
- BIMI configuration validoptional
BIMI correctly configured ✓
- MTA-STS record presentoptional
No MTA-STS. Add TXT at _mta-sts and host policy at /.well-known/mta-sts.txt
- MTA-STS policy enforcedoptional
MTA-STS not configured
- MX records validcritical
2 MX record(s) ✓
- MX domains use DNSSECrecommended
0/1 MX domain(s) have DNSSEC. Ask your mail provider to enable DNSSEC
- MX DNSSEC validation OKrecommended
DNSSEC not enabled for MX domains
- Mail servers not blacklistedcritical
1/1 MX server(s) blacklisted: mxb.mailgun.org on UCEPROTECT L2
- No critical blacklist listingscritical
No critical listings, but some servers are on blacklists
Web security
- CAA records presentrecommended
12 CAA record(s) ✓
- CAA policy strictoptional
CAA limits certificate authorities ✓
- TLSA records (DANE)optional
No TLSA/DANE records. Add TLSA at _25._tcp.mail for DANE email encryption
- DANE configuration validoptional
No DANE configured
- No sensitive info in TXTcritical
No sensitive data leaked ✓
- Verification records reviewedinfo
1 verification record(s): Google. Consider if all are still needed
- HTTPS availablecritical
HTTPS working (status 200) ✓
- Valid certificatecritical
Certificate chain is valid and trusted ✓
- HTTP redirects to HTTPScritical
HTTP automatically redirects to HTTPS ✓
- HSTS enabledrecommended
HSTS enabled (max-age=31536000, includeSubDomains, preload) ✓
- HSTS max-age >= 1 yearoptional
max-age=31536000 (≥1 year) ✓
- X-Frame-Options headerrecommended
X-Frame-Options: DENY ✓
- X-Content-Type-Options headerrecommended
X-Content-Type-Options: nosniff ✓
- Content-Security-Policy headerrecommended
Content-Security-Policy configured ✓
- Referrer-Policy headerrecommended
Referrer-Policy: no-referrer-when-downgrade ✓
- security.txt presentoptional
Contact: https://twitter.com/troyhunt
- security.txt validoptional
security.txt missing required fields. Must have Contact: and Expires: per RFC 9116
- HTTP/3 (QUIC) supportedoptional
HTTP/3 (QUIC v1) on port 443 Detection methods: QUIC probe: QUIC v1 (RFC 9000) (10ms) Alt-Svc header: h3=":443" Cache: 24h (ma=86400) HTTPS DNS record: alpn="h3, h2" Encrypted Client Hello (ECH): supported
- QUIC UDP reachableoptional
QUIC reachable on UDP/443 (10ms) — QUIC v1 (RFC 9000) ✓
- HTTPS DNS record (SVCB)optional
HTTPS record advertises h3, h2 ✓ + ECH
Issues found (1)
Recommendations (1)
IPv6 for mail servers
Add AAAA records for your MX servers to support email via IPv6.
Impact: Improves email reachability for IPv6 networks
About this report
IntoDNS.AI evaluates haveibeenpwned.com against DNS hygiene, email authentication, and transport-security best practices, scoring each check and rolling them up into an overall grade. Results reflect public DNS as observed on June 10, 2026 and may differ from a live scan if the domain has since changed its configuration.
Want to check your own domain? Scan any domain on the homepage.
Last analyzed: June 10, 2026 · Google Public DNS