DNS & Email Security Report for kali.org

An automated analysis of kali.org's DNS configuration, email authentication (SPF, DKIM, DMARC), DNSSEC chain, IPv6 readiness, and transport security. Last analyzed June 10, 2026.

C75/100
Average

Adequate security, improvements recommended

Overall security score: 75/100 · Grade C (Average)

This report is a cached snapshot

DNS changes frequently. Run a fresh, interactive scan of kali.org for live records, propagation, and deep checks.

Run a fresh live scan

Detailed check results

DNS

100%pass
  • A record presentcritical

    2 A record(s) found

  • AAAA record presentrecommended

    2 AAAA record(s) found

  • MX records presentrecommended

    5 MX record(s) found

  • NS records presentcritical

    2 NS record(s) found

  • SOA record presentcritical

    SOA record found

  • Multiple nameserversrecommended

    2 nameservers configured ✓

  • SOA serial formatinfo

    Serial 2405291011 (valid, managed DNS format)

  • SOA timers validinfo

    Refresh: 10000s ✓, Retry: 2400s ✓, Expire: 604800s ✓

  • No lame nameserversinfo

    2 NS all responding ✓

  • Glue records presentinfo

    No glue needed

  • WWW record configuredinfo

    A record matches apex

  • MX servers have PTR recordsinfo

    10 MX IPs all have PTR records ✓

  • MX servers have FCrDNSinfo

    10 MX IPs have forward-confirmed reverse DNS ✓

DNSSEC

59%warning
  • DNSSEC signedrecommended

    DNSSEC is enabled ✓

  • DNSSEC validation OKcritical

    DNSSEC validation failed! Check DS records at registrar match DNSKEY at nameserver

  • NSEC3 RFC 9276 compliantrecommended

    Not applicable (domain uses NSEC or is not DNSSEC-signed)

  • RRSIG signatures validrecommended

    RRSIG signature expires in 1 days — renewal needed

  • Modern DNSSEC algorithmoptional

    ECDSA P-256 (algorithm 13) — modern ✓

  • DS digest algorithm modernrecommended

    Not applicable (no DS records or DNSSEC not enabled)

  • DNSKEY algorithm secureoptional

    DNSKEY: ECDSA P-256 — modern ✓

  • RRSIG TTL saferecommended

    Record TTLs do not exceed RRSIG validity periods ✓

  • Chain of trust completecritical

    Incomplete chain: missing DS. All three (DNSKEY + DS + RRSIG) are needed for full DNSSEC

IPv6

100%pass
  • Website reachable via IPv6recommended

    2 AAAA record(s) ✓

  • Mail servers reachable via IPv6recommended

    5/5 MX server(s) with IPv6 ✓

  • Nameservers reachable via IPv6recommended

    2/2 NS server(s) with IPv6 ✓

Email security

57%warning
  • SPF record presentcritical

    v=spf1 a ip4:208.88.127.98 ip4:52.44.83.41 include:_spf.google.com include:sendgrid.net ~all

  • SPF syntax validcritical

    SPF syntax is correct ✓

  • SPF policy strict (-all)recommended

    SPF uses ~all or ?all. Change to -all for strict enforcement

  • DKIM foundrecommended

    DKIM selector: google ✓

  • DMARC record presentrecommended

    v=DMARC1; p=none; rua=mailto:[email protected],mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

  • DMARC policy quarantine or betterrecommended

    DMARC policy: none. Set p=quarantine or p=reject

  • DMARC policy rejectoptional

    DMARC policy: none. Set p=reject for maximum protection

  • BIMI record presentoptional

    No BIMI record. Add TXT at default._bimi with logo URL (requires DMARC p=quarantine+)

  • BIMI configuration validoptional

    No BIMI configured

  • MTA-STS record presentoptional

    No MTA-STS. Add TXT at _mta-sts and host policy at /.well-known/mta-sts.txt

  • MTA-STS policy enforcedoptional

    MTA-STS not configured

  • MX records validcritical

    5 MX record(s) ✓

  • MX domains use DNSSECrecommended

    0/1 MX domain(s) have DNSSEC. Ask your mail provider to enable DNSSEC

  • MX DNSSEC validation OKrecommended

    DNSSEC not enabled for MX domains

  • Mail servers not blacklistedcritical

    1 MX server(s) checked against 16 blacklists - clean ✓

  • No critical blacklist listingscritical

    No blacklist listings ✓

Web security

71%warning
  • CAA records presentrecommended

    12 CAA record(s) ✓

  • CAA policy strictoptional

    CAA limits certificate authorities ✓

  • TLSA records (DANE)optional

    No TLSA/DANE records. Add TLSA at _25._tcp.mail for DANE email encryption

  • DANE configuration validoptional

    No DANE configured

  • No sensitive info in TXTcritical

    No sensitive data leaked ✓

  • Verification records reviewedinfo

    2 verification record(s): Google, Microsoft 365. Consider if all are still needed

  • HTTPS availablecritical

    HTTPS working (status 200) ✓

  • Valid certificatecritical

    Certificate chain is valid and trusted ✓

  • HTTP redirects to HTTPScritical

    HTTP automatically redirects to HTTPS ✓

  • HSTS enabledrecommended

    HSTS enabled (max-age=2592000) ✓

  • HSTS max-age >= 1 yearoptional

    max-age=2592000 is too short. Set to 31536000 (1 year) or higher

  • X-Frame-Options headerrecommended

    X-Frame-Options: SAMEORIGIN ✓

  • X-Content-Type-Options headerrecommended

    X-Content-Type-Options: nosniff ✓

  • Content-Security-Policy headerrecommended

    No Content-Security-Policy header. Add CSP to prevent XSS and other injection attacks

  • Referrer-Policy headerrecommended

    Referrer-Policy: same-origin ✓

  • security.txt presentoptional

    Contact: security at offsec dot com

  • security.txt validoptional

    security.txt missing required fields. Must have Contact: and Expires: per RFC 9116

  • HTTP/3 (QUIC) supportedoptional

    HTTP/3 (QUIC v1) on port 443 Detection methods: QUIC probe: QUIC v1 (RFC 9000) (7ms)

  • QUIC UDP reachableoptional

    QUIC reachable on UDP/443 (7ms) — QUIC v1 (RFC 9000) ✓

  • HTTPS DNS record (SVCB)optional

    HTTPS record found but no h3 ALPN (h2)

Issues found (3)

DNSSEC validation fails

DNSSEC is configured but validation fails. This can make your domain unreachable!

Learn more

DNSSEC chain of trust incomplete

The DNSSEC chain requires DNSKEY, DS, and RRSIG records to be present. Missing components break the chain of trust

Learn more

DMARC policy too lenient

Your DMARC policy is set to "none". Use "quarantine" or "reject" for better protection

Learn more

Recommendations (2)

Fix DNSSEC validation

Your DNSSEC configuration is incorrect. Check the DS records with your registrar and DNSKEY records in your zone. This is CRITICAL!

Impact: Your domain may become unreachable for users who validate DNSSEC

Strengthen DMARC policy

Change your DMARC policy from "none" to "quarantine" or "reject" for better protection.

Impact: Increases email security and prevents abuse

About this report

IntoDNS.AI evaluates kali.org against DNS hygiene, email authentication, and transport-security best practices, scoring each check and rolling them up into an overall grade. Results reflect public DNS as observed on June 10, 2026 and may differ from a live scan if the domain has since changed its configuration.

Want to check your own domain? Scan any domain on the homepage.

Last analyzed: June 10, 2026 · Google Public DNS