DNS & Email Security Report for notion.so

• A record presentcritical

  2 A record(s) found

• AAAA record presentrecommended

  2 AAAA record(s) found

• MX records presentrecommended

  No MX records

• NS records presentcritical

  2 NS record(s) found

• SOA record presentcritical

  SOA record found

• Multiple nameserversrecommended

  2 nameservers configured ✓

• SOA serial formatinfo

  Serial 2405399598 (valid, managed DNS format)

• SOA timers validinfo

  Refresh: 10000s ✓, Retry: 2400s ✓, Expire: 604800s ✓

• No lame nameserversinfo

  2 NS all responding ✓

• Glue records presentinfo

  No glue needed

• WWW record configuredinfo

  A record matches apex

• MX servers have PTR recordsinfo

  No MX records to check

• MX servers have FCrDNSinfo

  No MX IPs to check

• DNSSEC not available for this TLDinfo

  Not applicable: .SO TLD does not support DNSSEC at the registry level

• Website reachable via IPv6recommended

  2 AAAA record(s) ✓

• Mail servers reachable via IPv6recommended

  No MX servers found. Add AAAA records for your mail servers

• Nameservers reachable via IPv6recommended

  2/2 NS server(s) with IPv6 ✓

• SPF record presentcritical

  v=spf1 ~all

• SPF syntax validcritical

  SPF syntax is correct ✓

• SPF policy strict (-all)recommended

  SPF uses ~all or ?all. Change to -all for strict enforcement

• DKIM foundrecommended

  No DKIM found. Configure DKIM signing with your email provider

• DMARC record presentrecommended

  v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected];

• DMARC policy quarantine or betterrecommended

  DMARC policy: quarantine ✓

• DMARC policy rejectoptional

  DMARC policy: quarantine. Set p=reject for maximum protection

• BIMI record presentoptional

  BIMI logo: https://vmc.digicert.com/ae66f82a-dd47-4f08-9fd9-fd865f1d0b30.svg

• BIMI configuration validoptional

  BIMI correctly configured ✓

• MTA-STS record presentoptional

  No MTA-STS. Add TXT at _mta-sts and host policy at /.well-known/mta-sts.txt

• MTA-STS policy enforcedoptional

  MTA-STS not configured

• MX records validcritical

  No valid MX records. Add MX record pointing to mail server

• MX domains use DNSSECrecommended

  No MX domains to check

• MX DNSSEC validation OKrecommended

  No MX domains to check

• Mail servers not blacklistedcritical

  No MX records — this domain does not receive email, so there is nothing to blacklist-check.

• No critical blacklist listingscritical

  No blacklist listings ✓

• CAA records presentrecommended

  No CAA records. Add CAA record to specify allowed certificate authorities

• CAA policy strictoptional

  CAA not strict. Add CAA 0 issue "letsencrypt.org" (or your CA) to restrict issuance

• TLSA records (DANE)info

  Not applicable: .SO TLD does not support DNSSEC, which is required for DANE

• DANE configuration validinfo

  Not applicable: .SO TLD does not support DNSSEC, which is required for DANE

• No sensitive info in TXTcritical

  No sensitive data leaked ✓

• Verification records reviewedinfo

  2 verification record(s): Facebook/Meta, Google. Consider if all are still needed

• HTTPS availablecritical

  HTTPS working (status 200) ✓

• Valid certificatecritical

  Certificate chain is valid and trusted ✓

• HTTP redirects to HTTPScritical

  HTTP automatically redirects to HTTPS ✓

• HSTS enabledrecommended

  HSTS enabled (max-age=31536000, includeSubDomains, preload) ✓

• HSTS max-age >= 1 yearoptional

  max-age=31536000 (≥1 year) ✓

• X-Frame-Options headerrecommended

  No X-Frame-Options header. Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking

• X-Content-Type-Options headerrecommended

  No X-Content-Type-Options header. Add X-Content-Type-Options: nosniff to prevent MIME sniffing

• Content-Security-Policy headerrecommended

  Content-Security-Policy configured ✓

• Referrer-Policy headerrecommended

  Referrer-Policy: strict-origin-when-cross-origin ✓

• security.txt presentoptional

  Contact: https://www.notion.so/Responsible-Disclosure-Policy-5f18bb6b86804eaf989c006131778b9c

• security.txt validoptional

  security.txt has required Contact and Expires fields ✓

• HTTP/3 (QUIC) supportedoptional

  HTTP/3 (QUIC v1) on port 443 Detection methods: QUIC probe: QUIC v1 (RFC 9000) (7ms) Alt-Svc header: h3=":443" Cache: 24h (ma=86400) HTTPS DNS record: alpn="h3, h2"

• QUIC UDP reachableoptional

  QUIC reachable on UDP/443 (7ms) — QUIC v1 (RFC 9000) ✓

• HTTPS DNS record (SVCB)optional

  HTTPS record advertises h3, h2 ✓

Add MX records

Configure MX records pointing to your mail servers so you can receive email.

Impact: Enables your domain to receive email

Implement DKIM

Configure DKIM signing with your email provider and publish the DKIM public key in DNS.

Impact: Improves email deliverability and prevents spoofing

Add CAA records

Define which Certificate Authorities may issue SSL certificates, for example: "0 issue letsencrypt.org"

Impact: Prevents unauthorized certificate issuance

IPv6 for mail servers

Add AAAA records for your MX servers to support email via IPv6.

Impact: Improves email reachability for IPv6 networks