DNS & Email Security Report for politie.nl

An automated analysis of politie.nl's DNS configuration, email authentication (SPF, DKIM, DMARC), DNSSEC chain, IPv6 readiness, and transport security. Last analyzed June 10, 2026.

B89/100
Good

Good security, minor improvements possible

Overall security score: 89/100 · Grade B (Good)

This report is a cached snapshot

DNS changes frequently. Run a fresh, interactive scan of politie.nl for live records, propagation, and deep checks.

Run a fresh live scan

Detailed check results

DNS

100%pass
  • A record presentcritical

    1 A record(s) found

  • AAAA record presentrecommended

    1 AAAA record(s) found

  • MX records presentrecommended

    2 MX record(s) found

  • NS records presentcritical

    8 NS record(s) found

  • SOA record presentcritical

    SOA record found

  • Multiple nameserversrecommended

    8 nameservers configured ✓

  • SOA serial formatinfo

    Serial 2016200229 (YYYYMMDDnn format)

  • SOA timers validinfo

    Refresh: 7200s ✓, Retry: 720s ✓, Expire: 1209600s ✓

  • No lame nameserversinfo

    8 NS all responding ✓

  • Glue records presentinfo

    No glue needed

  • WWW record configuredinfo

    CNAME: politie.cdn.wah.ext.politie

  • MX servers have PTR recordsinfo

    4 MX IPs all have PTR records ✓

  • MX servers have FCrDNSinfo

    4 MX IPs have forward-confirmed reverse DNS ✓

DNSSEC

93%pass
  • DNSSEC signedrecommended

    DNSSEC is enabled ✓

  • DNSSEC validation OKcritical

    DNSSEC validates correctly ✓

  • NSEC3 RFC 9276 compliantrecommended

    NSEC3 not RFC 9276 compliant: iterations=10 (must be 0), salt="c4" (must be empty). Modern resolvers may reject this zone

  • RRSIG signatures validrecommended

    RRSIG signature expires in 7 days — renewal needed

  • Modern DNSSEC algorithmoptional

    ECDSA P-256 (algorithm 13) — modern ✓

  • DS digest algorithm modernrecommended

    DS digest: SHA-256 — modern ✓

  • DNSKEY algorithm secureoptional

    DNSKEY: ECDSA P-256 — modern ✓

  • RRSIG TTL saferecommended

    Record TTLs do not exceed RRSIG validity periods ✓

  • Chain of trust completecritical

    Complete chain: DNSKEY + DS + RRSIG ✓

IPv6

100%pass
  • Website reachable via IPv6recommended

    1 AAAA record(s) ✓

  • Mail servers reachable via IPv6recommended

    2/2 MX server(s) with IPv6 ✓

  • Nameservers reachable via IPv6recommended

    8/8 NS server(s) with IPv6 ✓

Email security

73%warning
  • SPF record presentcritical

    v=spf1 mx ip4:145.119.241.20 include:spf.protection.outlook.com -all

  • SPF syntax validcritical

    SPF syntax is correct ✓

  • SPF policy strict (-all)recommended

    SPF uses -all (hard fail) ✓

  • DKIM foundrecommended

    No DKIM found. Configure DKIM signing with your email provider

  • DMARC record presentrecommended

    v=DMARC1;p=quarantine;sp=reject;ruf=mailto:[email protected];

  • DMARC policy quarantine or betterrecommended

    DMARC policy: quarantine ✓

  • DMARC policy rejectoptional

    DMARC policy: quarantine. Set p=reject for maximum protection

  • BIMI record presentoptional

    BIMI logo: https://fts.politie.nl/logo/895056f2-bc4d-4837-8323-99f36bac0b71.svg

  • BIMI configuration validoptional

    BIMI correctly configured ✓

  • MTA-STS record presentoptional

    No MTA-STS. Add TXT at _mta-sts and host policy at /.well-known/mta-sts.txt

  • MTA-STS policy enforcedoptional

    MTA-STS not configured

  • MX records validcritical

    2 MX record(s) ✓

  • MX domains use DNSSECrecommended

    1/1 MX domain(s) use DNSSEC ✓

  • MX DNSSEC validation OKrecommended

    MX DNSSEC validates correctly ✓

  • Mail servers not blacklistedcritical

    1 MX server(s) checked against 16 blacklists - clean ✓

  • No critical blacklist listingscritical

    No blacklist listings ✓

Web security

89%pass
  • CAA records presentrecommended

    7 CAA record(s) ✓

  • CAA policy strictoptional

    CAA limits certificate authorities ✓

  • TLSA records (DANE)optional

    4 DANE record(s) - configured according to best practices

  • DANE configuration validoptional

    DANE records meet best practices ✓

  • No sensitive info in TXTcritical

    No sensitive data leaked ✓

  • Verification records reviewedinfo

    5 verification record(s): Adobe IDP, Microsoft 365, Apple, Facebook/Meta, Google. Consider if all are still needed

  • HTTPS availablecritical

    HTTPS working (status 403) ✓

  • Valid certificatecritical

    Certificate chain is valid and trusted ✓

  • HTTP redirects to HTTPScritical

    HTTP automatically redirects to HTTPS ✓

  • HSTS enabledrecommended

    HSTS enabled (max-age=31536000, includeSubDomains) ✓

  • HSTS max-age >= 1 yearoptional

    max-age=31536000 (≥1 year) ✓

  • X-Frame-Options headerrecommended

    No X-Frame-Options header. Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking

  • X-Content-Type-Options headerrecommended

    X-Content-Type-Options: nosniff ✓

  • Content-Security-Policy headerrecommended

    Content-Security-Policy configured ✓

  • Referrer-Policy headerrecommended

    Referrer-Policy: same-origin ✓

  • security.txt presentoptional

    No security.txt. Create /.well-known/security.txt with Contact and Expires fields (RFC 9116)

  • security.txt validoptional

    No security.txt configured

  • HTTP/3 (QUIC) supportedoptional

    HTTP/3 (QUIC v1) on port 443 Detection methods: QUIC probe: inconclusive (no reply — trigger may be dropped or UDP/443 filtered) Alt-Svc header: h3=":443" Cache: 26h (ma=93600)

  • QUIC UDP reachableinfo

    QUIC probe inconclusive (no reply — trigger may be dropped or UDP/443 filtered). Not a negative signal; h3 is judged from Alt-Svc / HTTPS record

  • HTTPS DNS record (SVCB)optional

    No HTTPS DNS record (type 65). Add HTTPS record for faster HTTP/3 discovery: politie.nl IN HTTPS 1 . alpn="h3,h2"

Issues found (2)

NSEC3 parameters not RFC 9276 compliant

NSEC3 iterations must be 0 and salt must be empty per RFC 9276. Modern resolvers (Unbound 1.19+, BIND 9.19+) may treat your zone as insecure

Learn more

DKIM not found

DKIM helps verify your outgoing email

Learn more

Recommendations (1)

Implement DKIM

Configure DKIM signing with your email provider and publish the DKIM public key in DNS.

Impact: Improves email deliverability and prevents spoofing

About this report

IntoDNS.AI evaluates politie.nl against DNS hygiene, email authentication, and transport-security best practices, scoring each check and rolling them up into an overall grade. Results reflect public DNS as observed on June 10, 2026 and may differ from a live scan if the domain has since changed its configuration.

Want to check your own domain? Scan any domain on the homepage.

Last analyzed: June 10, 2026 · Google Public DNS