DNS & Email Security Report for picnic.app

• A record presentcritical

  4 A record(s) found

• AAAA record presentrecommended

  No AAAA records

• MX records presentrecommended

  No MX records

• NS records presentcritical

  4 NS record(s) found

• SOA record presentcritical

  SOA record found

• Multiple nameserversrecommended

  4 nameservers configured ✓

• SOA serial formatinfo

  Serial 1 (valid, managed DNS format)

• SOA timers validinfo

  Refresh: 7200s ✓, Retry: 900s ✓, Expire: 1209600s ✓

• No lame nameserversinfo

  4 NS all responding ✓

• Glue records presentinfo

  No glue needed

• WWW record configuredinfo

  CNAME record matches apex

• MX servers have PTR recordsinfo

  No MX records to check

• MX servers have FCrDNSinfo

  No MX IPs to check

• DNSSEC signedrecommended

  DNSSEC not configured. Enable DNSSEC at your domain registrar to protect against DNS spoofing

• DNSSEC validation OKcritical

  Not applicable (DNSSEC not enabled)

• NSEC3 RFC 9276 compliantrecommended

  Not applicable (domain uses NSEC or is not DNSSEC-signed)

• RRSIG signatures validrecommended

  Not applicable (DNSSEC not enabled)

• Modern DNSSEC algorithmoptional

  Not applicable (DNSSEC not enabled)

• DS digest algorithm modernrecommended

  Not applicable (no DS records or DNSSEC not enabled)

• DNSKEY algorithm secureoptional

  Not applicable (DNSSEC not enabled)

• RRSIG TTL saferecommended

  Not applicable (DNSSEC not enabled or no RRSIG data)

• Chain of trust completecritical

  DNSSEC not enabled

• Website reachable via IPv6recommended

  No IPv6 for website. Add AAAA record pointing to your IPv6 address

• Mail servers reachable via IPv6recommended

  No MX servers found. Add AAAA records for your mail servers

• Nameservers reachable via IPv6recommended

  4/4 NS server(s) with IPv6 ✓

• SPF record presentcritical

  No SPF record. Add TXT record: "v=spf1 ... -all"

• SPF syntax validcritical

  SPF syntax errors. Check record for typos or invalid mechanisms

• SPF policy strict (-all)recommended

  SPF uses ~all or ?all. Change to -all for strict enforcement

• DKIM foundrecommended

  No DKIM found. Configure DKIM signing with your email provider

• DMARC record presentrecommended

  No DMARC record. Add TXT at _dmarc: "v=DMARC1; p=quarantine; ..."

• DMARC policy quarantine or betterrecommended

  DMARC policy: none. Set p=quarantine or p=reject

• DMARC policy rejectoptional

  DMARC policy: none. Set p=reject for maximum protection

• BIMI record presentoptional

  No BIMI record. Add TXT at default._bimi with logo URL (requires DMARC p=quarantine+)

• BIMI configuration validoptional

  No BIMI configured

• MTA-STS record presentoptional

  No MTA-STS. Add TXT at _mta-sts and host policy at /.well-known/mta-sts.txt

• MTA-STS policy enforcedoptional

  MTA-STS not configured

• MX records validcritical

  No valid MX records. Add MX record pointing to mail server

• MX domains use DNSSECrecommended

  No MX domains to check

• MX DNSSEC validation OKrecommended

  No MX domains to check

• Mail servers not blacklistedcritical

  No MX records — this domain does not receive email, so there is nothing to blacklist-check.

• No critical blacklist listingscritical

  No blacklist listings ✓

• CAA records presentrecommended

  No CAA records. Add CAA record to specify allowed certificate authorities

• CAA policy strictoptional

  CAA not strict. Add CAA 0 issue "letsencrypt.org" (or your CA) to restrict issuance

• TLSA records (DANE)optional

  No TLSA/DANE records. Add TLSA at _25._tcp.mail for DANE email encryption

• DANE configuration validoptional

  No DANE configured

• No sensitive info in TXTcritical

  No sensitive data leaked ✓

• Verification records reviewedinfo

  2 verification record(s): Facebook/Meta, Google. Consider if all are still needed

• HTTPS availablecritical

  HTTPS working (status 403) ✓

• Valid certificatecritical

  Certificate chain is valid and trusted ✓

• HTTP redirects to HTTPScritical

  HTTP automatically redirects to HTTPS ✓

• HSTS enabledrecommended

  No HSTS header. Add Strict-Transport-Security header with max-age of at least 31536000 (1 year)

• HSTS max-age >= 1 yearoptional

  HSTS not enabled

• X-Frame-Options headerrecommended

  No X-Frame-Options header. Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking

• X-Content-Type-Options headerrecommended

  No X-Content-Type-Options header. Add X-Content-Type-Options: nosniff to prevent MIME sniffing

• Content-Security-Policy headerrecommended

  No Content-Security-Policy header. Add CSP to prevent XSS and other injection attacks

• Referrer-Policy headerrecommended

  No Referrer-Policy header. Add Referrer-Policy: strict-origin-when-cross-origin

• security.txt presentoptional

  No security.txt. Create /.well-known/security.txt with Contact and Expires fields (RFC 9116)

• security.txt validoptional

  No security.txt configured

• HTTP/3 (QUIC) supportedoptional

  No HTTP/3 support detected No h3 in Alt-Svc header No HTTPS DNS record (type 65) QUIC probe inconclusive (Inconclusive - no QUIC reply (trigger may be dropped or UDP/443 filtered)) — not a negative signal

• QUIC UDP reachableinfo

  QUIC probe inconclusive (no reply — trigger may be dropped or UDP/443 filtered). Not a negative signal; h3 is judged from Alt-Svc / HTTPS record

• HTTPS DNS record (SVCB)optional

  No HTTPS DNS record (type 65). Add HTTPS record for faster HTTP/3 discovery: picnic.app IN HTTPS 1 . alpn="h3,h2"

Implement DNSSEC

Activate DNSSEC with your domain registrar and add the DS records to your parent zone. This protects against DNS spoofing attacks.

Impact: Significantly increases security and prevents DNS manipulation

Add MX records

Configure MX records pointing to your mail servers so you can receive email.

Impact: Enables your domain to receive email

Add SPF record

Create a TXT record with SPF policy, for example: "v=spf1 mx -all" to only allow your own mail servers.

Impact: Prevents spammers from sending email on behalf of your domain

Configure DMARC

Add a DMARC record to _dmarc.yourdomain.com, for example: "v=DMARC1; p=quarantine; rua=mailto:[email protected]"

Impact: Protects against phishing and provides insight into email abuse

Implement DKIM

Configure DKIM signing with your email provider and publish the DKIM public key in DNS.

Impact: Improves email deliverability and prevents spoofing

Add IPv6 support

Request AAAA records from your hosting provider for your website. IPv6 is becoming increasingly important.

Impact: Makes your website accessible to IPv6-only networks

Add CAA records

Define which Certificate Authorities may issue SSL certificates, for example: "0 issue letsencrypt.org"

Impact: Prevents unauthorized certificate issuance

IPv6 for mail servers

Add AAAA records for your MX servers to support email via IPv6.

Impact: Improves email reachability for IPv6 networks

Enable HTTP/3 (QUIC)

Enable HTTP/3 for faster page loads and improved connection resilience. Nginx: add "listen 443 quic reuseport;" and "add_header Alt-Svc 'h3=":443"; ma=86400'". Caddy: HTTP/3 is enabled by default. Cloudflare: Enable under Speed → Protocol Optimization. Also add an HTTPS DNS record: example.com IN HTTPS 1 . alpn="h3,h2" Ensure UDP port 443 is open in your firewall (QUIC uses UDP, not TCP).

Impact: Faster page loads (0-RTT), better mobile performance, and connection migration between networks