DNS & Email Security Report for microsoft.com
An automated analysis of microsoft.com's DNS configuration, email authentication (SPF, DKIM, DMARC), DNSSEC chain, IPv6 readiness, and transport security. Last analyzed June 10, 2026.
Adequate security, improvements recommended
Overall security score: 78/100 · Grade C (Average)
This report is a cached snapshot
DNS changes frequently. Run a fresh, interactive scan of microsoft.com for live records, propagation, and deep checks.
Detailed check results
DNS
- A record presentcritical
1 A record(s) found
- AAAA record presentrecommended
1 AAAA record(s) found
- MX records presentrecommended
1 MX record(s) found
- NS records presentcritical
4 NS record(s) found
- SOA record presentcritical
SOA record found
- Multiple nameserversrecommended
4 nameservers configured ✓
- SOA serial formatinfo
Serial 1 (valid, managed DNS format)
- SOA timers validinfo
Refresh: 3600s ✓, Retry: 300s ✓, Expire: 2419200s ✓
- No lame nameserversinfo
4 NS all responding ✓
- Glue records presentinfo
No glue needed
- WWW record configuredinfo
CNAME: www.microsoft.com-c-3.edgekey.net
- MX servers have PTR recordsinfo
8 MX IPs all have PTR records ✓
- MX servers have FCrDNSinfo
8 MX IPs have forward-confirmed reverse DNS ✓
DNSSEC
- DNSSEC signedrecommended
DNSSEC not configured. Enable DNSSEC at your domain registrar to protect against DNS spoofing
- DNSSEC validation OKcritical
Not applicable (DNSSEC not enabled)
- NSEC3 RFC 9276 compliantrecommended
Not applicable (domain uses NSEC or is not DNSSEC-signed)
- RRSIG signatures validrecommended
Not applicable (DNSSEC not enabled)
- Modern DNSSEC algorithmoptional
Not applicable (DNSSEC not enabled)
- DS digest algorithm modernrecommended
Not applicable (no DS records or DNSSEC not enabled)
- DNSKEY algorithm secureoptional
Not applicable (DNSSEC not enabled)
- RRSIG TTL saferecommended
Not applicable (DNSSEC not enabled or no RRSIG data)
- Chain of trust completecritical
DNSSEC not enabled
IPv6
- Website reachable via IPv6recommended
1 AAAA record(s) ✓
- Mail servers reachable via IPv6recommended
1/1 MX server(s) with IPv6 ✓
- Nameservers reachable via IPv6recommended
4/4 NS server(s) with IPv6 ✓
Email security
- SPF record presentcritical
v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.msft.net include:_spf1-meo.microsoft.com -all
- SPF syntax validcritical
SPF syntax is correct ✓
- SPF policy strict (-all)recommended
SPF uses -all (hard fail) ✓
- DKIM foundrecommended
DKIM selector: selector2 ✓
- DMARC record presentrecommended
v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
- DMARC policy quarantine or betterrecommended
DMARC policy: reject ✓
- DMARC policy rejectoptional
DMARC policy: reject ✓
- BIMI record presentoptional
No BIMI record. Add TXT at default._bimi with logo URL (requires DMARC p=quarantine+)
- BIMI configuration validoptional
No BIMI configured
- MTA-STS record presentoptional
MTA-STS configured ✓
- MTA-STS policy enforcedoptional
MTA-STS mode: enforce ✓
- MX records validcritical
1 MX record(s) ✓
- MX domains use DNSSECrecommended
1/1 MX domain(s) use DNSSEC ✓
- MX DNSSEC validation OKrecommended
MX DNSSEC validates correctly ✓
- Mail servers not blacklistedcritical
1 MX server(s) checked against 16 blacklists - clean ✓
- No critical blacklist listingscritical
No blacklist listings ✓
Web security
- CAA records presentrecommended
1 CAA record(s) ✓
- CAA policy strictoptional
CAA not strict. Add CAA 0 issue "letsencrypt.org" (or your CA) to restrict issuance
- TLSA records (DANE)optional
No TLSA/DANE records. Add TLSA at _25._tcp.mail for DANE email encryption
- DANE configuration validoptional
No DANE configured
- No sensitive info in TXTcritical
No sensitive data leaked ✓
- Verification records reviewedinfo
7 verification records found (Atlassian, Zoom, Workplace, DocuSign, Google...). Review these - they reveal your tech stack to attackers. Remove unused service verifications
- HTTPS availablecritical
HTTPS working (status 403) ✓
- Valid certificatecritical
Certificate chain is valid and trusted ✓
- HTTP redirects to HTTPScritical
HTTP automatically redirects to HTTPS ✓
- HSTS enabledrecommended
HSTS enabled (max-age=31536000, includeSubDomains) ✓
- HSTS max-age >= 1 yearoptional
max-age=31536000 (≥1 year) ✓
- X-Frame-Options headerrecommended
No X-Frame-Options header. Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
- X-Content-Type-Options headerrecommended
No X-Content-Type-Options header. Add X-Content-Type-Options: nosniff to prevent MIME sniffing
- Content-Security-Policy headerrecommended
No Content-Security-Policy header. Add CSP to prevent XSS and other injection attacks
- Referrer-Policy headerrecommended
No Referrer-Policy header. Add Referrer-Policy: strict-origin-when-cross-origin
- security.txt presentoptional
No security.txt. Create /.well-known/security.txt with Contact and Expires fields (RFC 9116)
- security.txt validoptional
No security.txt configured
- HTTP/3 (QUIC) supportedoptional
No HTTP/3 support detected No h3 in Alt-Svc header No HTTPS DNS record (type 65) QUIC probe inconclusive (Inconclusive - no QUIC reply (trigger may be dropped or UDP/443 filtered)) — not a negative signal
- QUIC UDP reachableinfo
QUIC probe inconclusive (no reply — trigger may be dropped or UDP/443 filtered). Not a negative signal; h3 is judged from Alt-Svc / HTTPS record
- HTTPS DNS record (SVCB)optional
No HTTPS DNS record (type 65). Add HTTPS record for faster HTTP/3 discovery: microsoft.com IN HTTPS 1 . alpn="h3,h2"
Issues found (3)
Excessive verification TXT records
Your domain has many third-party verification records. These reveal your tech stack to potential attackers (reconnaissance). Review and remove unused verifications
Learn moreNo HTTP/3 (QUIC) support
HTTP/3 uses QUIC for faster, more resilient connections. Enable it on your web server and open UDP/443 in your firewall
Learn moreRecommendations (3)
Implement DNSSEC
Activate DNSSEC with your domain registrar and add the DS records to your parent zone. This protects against DNS spoofing attacks.
Impact: Significantly increases security and prevents DNS manipulation
Review verification TXT records
Your domain has many third-party verification records that reveal your tech stack (Google, Microsoft, Atlassian, etc.). Review each one: 1) Remove records for services no longer used 2) Consider if each service really needs domain verification 3) Use a subdomain for less critical services. This is an information disclosure issue - attackers can map your SaaS footprint.
Impact: Reduces reconnaissance surface and limits attacker knowledge of your infrastructure
Enable HTTP/3 (QUIC)
Enable HTTP/3 for faster page loads and improved connection resilience. Nginx: add "listen 443 quic reuseport;" and "add_header Alt-Svc 'h3=":443"; ma=86400'". Caddy: HTTP/3 is enabled by default. Cloudflare: Enable under Speed → Protocol Optimization. Also add an HTTPS DNS record: example.com IN HTTPS 1 . alpn="h3,h2" Ensure UDP port 443 is open in your firewall (QUIC uses UDP, not TCP).
Impact: Faster page loads (0-RTT), better mobile performance, and connection migration between networks
About this report
IntoDNS.AI evaluates microsoft.com against DNS hygiene, email authentication, and transport-security best practices, scoring each check and rolling them up into an overall grade. Results reflect public DNS as observed on June 10, 2026 and may differ from a live scan if the domain has since changed its configuration.
Want to check your own domain? Scan any domain on the homepage.
Last analyzed: June 10, 2026 · Google Public DNS