DNS & Email Security Report for knab.nl

An automated analysis of knab.nl's DNS configuration, email authentication (SPF, DKIM, DMARC), DNSSEC chain, IPv6 readiness, and transport security. Last analyzed June 10, 2026.

B81/100
Good

Good security, minor improvements possible

Overall security score: 81/100 · Grade B (Good)

This report is a cached snapshot

DNS changes frequently. Run a fresh, interactive scan of knab.nl for live records, propagation, and deep checks.

Run a fresh live scan

Detailed check results

DNS

73%warning
  • A record presentcritical

    4 A record(s) found

  • AAAA record presentrecommended

    No AAAA records

  • MX records presentrecommended

    1 MX record(s) found

  • NS records presentcritical

    4 NS record(s) found

  • SOA record presentcritical

    SOA record found

  • Multiple nameserversrecommended

    4 nameservers configured ✓

  • SOA serial formatinfo

    Serial 2024080718 (YYYYMMDDnn format)

  • SOA timers validinfo

    Refresh: 1200s ✓, Retry: 300s ✓, Expire: 1209600s ✓

  • No lame nameserversinfo

    4 NS all responding ✓

  • Glue records presentinfo

    No glue needed

  • WWW record configuredinfo

    CNAME: d209mmju53ddl9.cloudfront.net

  • MX servers have PTR recordsinfo

    8 MX IPs all have PTR records ✓

  • MX servers have FCrDNSinfo

    8 MX IPs have forward-confirmed reverse DNS ✓

DNSSEC

100%pass
  • DNSSEC signedrecommended

    DNSSEC is enabled ✓

  • DNSSEC validation OKcritical

    DNSSEC validates correctly ✓

  • NSEC3 RFC 9276 compliantrecommended

    Not applicable (domain uses NSEC or is not DNSSEC-signed)

  • RRSIG signatures validrecommended

    RRSIG signatures valid, earliest expiry in 9 days ✓

  • Modern DNSSEC algorithmoptional

    ECDSA P-256 (algorithm 13) — modern ✓

  • DS digest algorithm modernrecommended

    DS digest: SHA-256 — modern ✓

  • DNSKEY algorithm secureoptional

    DNSKEY: ECDSA P-256 — modern ✓

  • RRSIG TTL saferecommended

    Record TTLs do not exceed RRSIG validity periods ✓

  • Chain of trust completecritical

    Complete chain: DNSKEY + DS + RRSIG ✓

IPv6

60%warning
  • Website reachable via IPv6recommended

    No IPv6 for website. Add AAAA record pointing to your IPv6 address

  • Mail servers reachable via IPv6recommended

    1/1 MX server(s) with IPv6 ✓

  • Nameservers reachable via IPv6recommended

    4/4 NS server(s) with IPv6 ✓

Email security

93%pass
  • SPF record presentcritical

    v=spf1 mx include:spf.protection.outlook.com include:spf2.bawagpsk.com ip4:194.107.107.213/32 ip4:194.107.107.194/32 ip4:194.107.107.241/32 include:_spf.salesforce.com include:amazonses.com include:spf-00099f01.pphosted.com include:spf.afas.online -all

  • SPF syntax validcritical

    SPF syntax is correct ✓

  • SPF policy strict (-all)recommended

    SPF uses -all (hard fail) ✓

  • DKIM foundrecommended

    DKIM selector: selector1 ✓

  • DMARC record presentrecommended

    v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=reject; fo=1;

  • DMARC policy quarantine or betterrecommended

    DMARC policy: reject ✓

  • DMARC policy rejectoptional

    DMARC policy: reject ✓

  • BIMI record presentoptional

    BIMI logo: https://share.bawag.at/assets/animationen/allgemein/Knab%20logo%20white_250x250px.svg

  • BIMI configuration validoptional

    BIMI correctly configured ✓

  • MTA-STS record presentoptional

    No MTA-STS. Add TXT at _mta-sts and host policy at /.well-known/mta-sts.txt

  • MTA-STS policy enforcedoptional

    MTA-STS not configured

  • MX records validcritical

    1 MX record(s) ✓

  • MX domains use DNSSECrecommended

    1/1 MX domain(s) use DNSSEC ✓

  • MX DNSSEC validation OKrecommended

    MX DNSSEC validates correctly ✓

  • Mail servers not blacklistedcritical

    1 MX server(s) checked against 16 blacklists - clean ✓

  • No critical blacklist listingscritical

    No blacklist listings ✓

Web security

72%warning
  • CAA records presentrecommended

    7 CAA record(s) ✓

  • CAA policy strictoptional

    CAA limits certificate authorities ✓

  • TLSA records (DANE)optional

    No TLSA/DANE records. Add TLSA at _25._tcp.mail for DANE email encryption

  • DANE configuration validoptional

    No DANE configured

  • No sensitive info in TXTcritical

    No sensitive data leaked ✓

  • Verification records reviewedinfo

    5 verification record(s): Microsoft 365, Slack, Amazon SES, Atlassian, Google. Consider if all are still needed

  • HTTPS availablecritical

    HTTPS working (status 200) ✓

  • Valid certificatecritical

    Certificate chain is valid and trusted ✓

  • HTTP redirects to HTTPScritical

    HTTP automatically redirects to HTTPS ✓

  • HSTS enabledrecommended

    HSTS enabled (max-age=31536000, includeSubDomains) ✓

  • HSTS max-age >= 1 yearoptional

    max-age=31536000 (≥1 year) ✓

  • X-Frame-Options headerrecommended

    No X-Frame-Options header. Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking

  • X-Content-Type-Options headerrecommended

    X-Content-Type-Options: nosniff ✓

  • Content-Security-Policy headerrecommended

    Content-Security-Policy configured ✓

  • Referrer-Policy headerrecommended

    No Referrer-Policy header. Add Referrer-Policy: strict-origin-when-cross-origin

  • security.txt presentoptional

    Contact: [email protected]

  • security.txt validoptional

    security.txt has required Contact and Expires fields ✓

  • HTTP/3 (QUIC) supportedoptional

    No HTTP/3 support detected No h3 in Alt-Svc header No HTTPS DNS record (type 65) QUIC probe inconclusive (Inconclusive - no QUIC reply (trigger may be dropped or UDP/443 filtered)) — not a negative signal

  • QUIC UDP reachableinfo

    QUIC probe inconclusive (no reply — trigger may be dropped or UDP/443 filtered). Not a negative signal; h3 is judged from Alt-Svc / HTTPS record

  • HTTPS DNS record (SVCB)optional

    No HTTPS DNS record (type 65). Add HTTPS record for faster HTTP/3 discovery: knab.nl IN HTTPS 1 . alpn="h3,h2"

Issues found (2)

No IPv6 (AAAA) records

Your domain is not reachable via IPv6. IPv6 is becoming increasingly important

Learn more

No HTTP/3 (QUIC) support

HTTP/3 uses QUIC for faster, more resilient connections. Enable it on your web server and open UDP/443 in your firewall

Learn more

Recommendations (2)

Add IPv6 support

Request AAAA records from your hosting provider for your website. IPv6 is becoming increasingly important.

Impact: Makes your website accessible to IPv6-only networks

Enable HTTP/3 (QUIC)

Enable HTTP/3 for faster page loads and improved connection resilience. Nginx: add "listen 443 quic reuseport;" and "add_header Alt-Svc 'h3=":443"; ma=86400'". Caddy: HTTP/3 is enabled by default. Cloudflare: Enable under Speed → Protocol Optimization. Also add an HTTPS DNS record: example.com IN HTTPS 1 . alpn="h3,h2" Ensure UDP port 443 is open in your firewall (QUIC uses UDP, not TCP).

Impact: Faster page loads (0-RTT), better mobile performance, and connection migration between networks

About this report

IntoDNS.AI evaluates knab.nl against DNS hygiene, email authentication, and transport-security best practices, scoring each check and rolling them up into an overall grade. Results reflect public DNS as observed on June 10, 2026 and may differ from a live scan if the domain has since changed its configuration.

Want to check your own domain? Scan any domain on the homepage.

Last analyzed: June 10, 2026 · Google Public DNS