DNS & Email Security Report for rijksoverheid.nl

An automated analysis of rijksoverheid.nl's DNS configuration, email authentication (SPF, DKIM, DMARC), DNSSEC chain, IPv6 readiness, and transport security. Last analyzed June 10, 2026.

A90/100

Very Good

Strong security posture

Overall security score: 90/100 · Grade A (Very Good)

This report is a cached snapshot

DNS changes frequently. Run a fresh, interactive scan of rijksoverheid.nl for live records, propagation, and deep checks.

Run a fresh live scan

Detailed check results

DNS

100%pass

A record presentcritical
4 A record(s) found
AAAA record presentrecommended
4 AAAA record(s) found
MX records presentrecommended
2 MX record(s) found
NS records presentcritical
4 NS record(s) found
SOA record presentcritical
SOA record found
Multiple nameserversrecommended
4 nameservers configured ✓
SOA serial formatinfo
Serial 2026060401 (YYYYMMDDnn format)
SOA timers validinfo
Refresh: 14400s ✓, Retry: 7200s ✓, Expire: 1209600s ✓
No lame nameserversinfo
4 NS all responding ✓
Glue records presentinfo
No glue needed
WWW record configuredinfo
A: 2.16.6.25
MX servers have PTR recordsinfo
4 MX IPs all have PTR records ✓
MX servers have FCrDNSinfo
4 MX IPs have forward-confirmed reverse DNS ✓

DNSSEC

100%pass

DNSSEC signedrecommended
DNSSEC is enabled ✓
DNSSEC validation OKcritical
DNSSEC validates correctly ✓
NSEC3 RFC 9276 compliantrecommended
NSEC3 iterations=0, salt=empty — RFC 9276 compliant ✓
RRSIG signatures validrecommended
RRSIG signature expires in 7 days — renewal needed
Modern DNSSEC algorithmoptional
ECDSA P-256 (algorithm 13) — modern ✓
DS digest algorithm modernrecommended
DS digest: SHA-256 — modern ✓
DNSKEY algorithm secureoptional
DNSKEY: ECDSA P-256 — modern ✓
RRSIG TTL saferecommended
Record TTLs do not exceed RRSIG validity periods ✓
Chain of trust completecritical
Complete chain: DNSKEY + DS + RRSIG ✓

IPv6

100%pass

Website reachable via IPv6recommended
4 AAAA record(s) ✓
Mail servers reachable via IPv6recommended
2/2 MX server(s) with IPv6 ✓
Nameservers reachable via IPv6recommended
4/4 NS server(s) with IPv6 ✓

Email security

83%pass

SPF record presentcritical
v=spf1 redirect=spf-a.ssonet.nl
SPF syntax validcritical
SPF syntax is correct ✓
SPF policy strict (-all)recommended
SPF uses ~all or ?all. Change to -all for strict enforcement
DKIM foundrecommended
DKIM selector: selector1 ✓
DMARC record presentrecommended
v=DMARC1; p=reject; adkim=r; aspf=r; pct=100; fo=1; rf=afrf; ri=86400; ruf=mailto:[email protected]!10m; rua=mailto:[email protected]!2m
DMARC policy quarantine or betterrecommended
DMARC policy: reject ✓
DMARC policy rejectoptional
DMARC policy: reject ✓
BIMI record presentoptional
No BIMI record. Add TXT at default._bimi with logo URL (requires DMARC p=quarantine+)
BIMI configuration validoptional
No BIMI configured
MTA-STS record presentoptional
No MTA-STS. Add TXT at _mta-sts and host policy at /.well-known/mta-sts.txt
MTA-STS policy enforcedoptional
MTA-STS not configured
MX records validcritical
2 MX record(s) ✓
MX domains use DNSSECrecommended
1/1 MX domain(s) use DNSSEC ✓
MX DNSSEC validation OKrecommended
MX DNSSEC validates correctly ✓
Mail servers not blacklistedcritical
1 MX server(s) checked against 16 blacklists - clean ✓
No critical blacklist listingscritical
No blacklist listings ✓

Web security

74%warning

CAA records presentrecommended
4 CAA record(s) ✓
CAA policy strictoptional
CAA limits certificate authorities ✓
TLSA records (DANE)optional
4 DANE record(s) - configured according to best practices
DANE configuration validoptional
DANE records meet best practices ✓
No sensitive info in TXTcritical
No sensitive data leaked ✓
Verification records reviewedinfo
1 verification record(s): Microsoft 365. Consider if all are still needed
HTTPS availablecritical
HTTPS working (status 403) ✓
Valid certificatecritical
Certificate chain is valid and trusted ✓
HTTP redirects to HTTPScritical
HTTP automatically redirects to HTTPS ✓
HSTS enabledrecommended
HSTS enabled (max-age=31536000, includeSubDomains) ✓
HSTS max-age >= 1 yearoptional
max-age=31536000 (≥1 year) ✓
X-Frame-Options headerrecommended
No X-Frame-Options header. Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
X-Content-Type-Options headerrecommended
No X-Content-Type-Options header. Add X-Content-Type-Options: nosniff to prevent MIME sniffing
Content-Security-Policy headerrecommended
No Content-Security-Policy header. Add CSP to prevent XSS and other injection attacks
Referrer-Policy headerrecommended
No Referrer-Policy header. Add Referrer-Policy: strict-origin-when-cross-origin
security.txt presentoptional
No security.txt. Create /.well-known/security.txt with Contact and Expires fields (RFC 9116)
security.txt validoptional
No security.txt configured
HTTP/3 (QUIC) supportedoptional
HTTP/3 (QUIC v1) on port 443 Detection methods: QUIC probe: inconclusive (no reply — trigger may be dropped or UDP/443 filtered) Alt-Svc header: h3=":443" Cache: 26h (ma=93600)
QUIC UDP reachableinfo
QUIC probe inconclusive (no reply — trigger may be dropped or UDP/443 filtered). Not a negative signal; h3 is judged from Alt-Svc / HTTPS record
HTTPS DNS record (SVCB)optional
No HTTPS DNS record (type 65). Add HTTPS record for faster HTTP/3 discovery: rijksoverheid.nl IN HTTPS 1 . alpn="h3,h2"

About this report

IntoDNS.AI evaluates rijksoverheid.nl against DNS hygiene, email authentication, and transport-security best practices, scoring each check and rolling them up into an overall grade. Results reflect public DNS as observed on June 10, 2026 and may differ from a live scan if the domain has since changed its configuration.

Setup guides

Free tools

Want to check your own domain? Scan any domain on the homepage.

Last analyzed: June 10, 2026 · Google Public DNS