DNS & Email Security Report for salesforce.com

An automated analysis of salesforce.com's DNS configuration, email authentication (SPF, DKIM, DMARC), DNSSEC chain, IPv6 readiness, and transport security. Last analyzed June 10, 2026.

D68/100

Poor

Weak security, action needed

Overall security score: 68/100 · Grade D (Poor)

This report is a cached snapshot

DNS changes frequently. Run a fresh, interactive scan of salesforce.com for live records, propagation, and deep checks.

Run a fresh live scan

Detailed check results

DNS

73%warning

A record presentcritical
8 A record(s) found
AAAA record presentrecommended
No AAAA records
MX records presentrecommended
2 MX record(s) found
NS records presentcritical
6 NS record(s) found
SOA record presentcritical
SOA record found
Multiple nameserversrecommended
6 nameservers configured ✓
SOA serial formatinfo
Serial 2016679614 (YYYYMMDDnn format)
SOA timers validinfo
Refresh: 600s ✗, Retry: 900s ✓, Expire: 2592000s ✗. Refresh should be 1200-43200s (20min-12h). Expire should be 604800-2419200s (1-4 weeks)
No lame nameserversinfo
6 NS all responding ✓
Glue records presentinfo
8 glue record(s)
WWW record configuredinfo
CNAME: www.salesforce.com.edgekey.net
MX servers have PTR recordsinfo
1 MX IPs all have PTR records ✓
MX servers have FCrDNSinfo
1 MX IPs have forward-confirmed reverse DNS ✓

DNSSEC

93%pass

DNSSEC signedrecommended
DNSSEC is enabled ✓
DNSSEC validation OKcritical
DNSSEC validates correctly ✓
NSEC3 RFC 9276 compliantrecommended
NSEC3 not RFC 9276 compliant: salt="7fea7b83" (must be empty). Modern resolvers may reject this zone
RRSIG signatures validrecommended
RRSIG signatures valid, earliest expiry in 38 days ✓
Modern DNSSEC algorithmoptional
ECDSA P-256 (algorithm 13) — modern ✓
DS digest algorithm modernrecommended
DS digest: SHA-256 — modern ✓
DNSKEY algorithm secureoptional
DNSKEY: ECDSA P-256 — modern ✓
RRSIG TTL saferecommended
Record TTLs do not exceed RRSIG validity periods ✓
Chain of trust completecritical
Complete chain: DNSKEY + DS + RRSIG ✓

IPv6

30%fail

Website reachable via IPv6recommended
No IPv6 for website. Add AAAA record pointing to your IPv6 address
Mail servers reachable via IPv6recommended
0/2 MX servers have IPv6. Add AAAA records for your mail servers
Nameservers reachable via IPv6recommended
6/6 NS server(s) with IPv6 ✓

Email security

88%pass

SPF record presentcritical
v=spf1 include:_spf.google.com include:_spf.salesforce.com exists:%{i}._spf.corp.salesforce.com ~all
SPF syntax validcritical
SPF syntax is correct ✓
SPF policy strict (-all)recommended
SPF uses ~all or ?all. Change to -all for strict enforcement
DKIM foundrecommended
DKIM selector: s1 ✓
DMARC record presentrecommended
v=DMARC1;p=reject;fo=1:d:s;pct=100;rua=mailto:[email protected],mailto:[email protected];ruf=mailto:[email protected]
DMARC policy quarantine or betterrecommended
DMARC policy: reject ✓
DMARC policy rejectoptional
DMARC policy: reject ✓
BIMI record presentoptional
BIMI logo: https://www.salesforce.com/content/dam/web/en_us/www/images/home/bimi-salesforce-logo.svg
BIMI configuration validoptional
BIMI correctly configured ✓
MTA-STS record presentoptional
No MTA-STS. Add TXT at _mta-sts and host policy at /.well-known/mta-sts.txt
MTA-STS policy enforcedoptional
MTA-STS not configured
MX records validcritical
2 MX record(s) ✓
MX domains use DNSSECrecommended
1/1 MX domain(s) use DNSSEC ✓
MX DNSSEC validation OKrecommended
MX DNSSEC validates correctly ✓
Mail servers not blacklistedcritical
1 MX server(s) checked against 16 blacklists - clean ✓
No critical blacklist listingscritical
No blacklist listings ✓

Web security

45%fail

CAA records presentrecommended
No CAA records. Add CAA record to specify allowed certificate authorities
CAA policy strictoptional
CAA not strict. Add CAA 0 issue "letsencrypt.org" (or your CA) to restrict issuance
TLSA records (DANE)optional
No TLSA/DANE records. Add TLSA at _25._tcp.mail for DANE email encryption
DANE configuration validoptional
No DANE configured
No sensitive info in TXTcritical
No sensitive data leaked ✓
Verification records reviewedinfo
5 verification record(s): Google, Stripe, Zoom, Docker, Atlassian. Consider if all are still needed
HTTPS availablecritical
HTTPS working (status 403) ✓
Valid certificatecritical
Certificate chain is valid and trusted ✓
HTTP redirects to HTTPScritical
HTTP automatically redirects to HTTPS ✓
HSTS enabledrecommended
HSTS enabled (max-age=86400) ✓
HSTS max-age >= 1 yearoptional
max-age=86400 is too short. Set to 31536000 (1 year) or higher
X-Frame-Options headerrecommended
No X-Frame-Options header. Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
X-Content-Type-Options headerrecommended
No X-Content-Type-Options header. Add X-Content-Type-Options: nosniff to prevent MIME sniffing
Content-Security-Policy headerrecommended
No Content-Security-Policy header. Add CSP to prevent XSS and other injection attacks
Referrer-Policy headerrecommended
No Referrer-Policy header. Add Referrer-Policy: strict-origin-when-cross-origin
security.txt presentoptional
No security.txt. Create /.well-known/security.txt with Contact and Expires fields (RFC 9116)
security.txt validoptional
No security.txt configured
HTTP/3 (QUIC) supportedoptional
No HTTP/3 support detected No h3 in Alt-Svc header No HTTPS DNS record (type 65) QUIC probe inconclusive (Inconclusive - no QUIC reply (trigger may be dropped or UDP/443 filtered)) — not a negative signal
QUIC UDP reachableinfo
QUIC probe inconclusive (no reply — trigger may be dropped or UDP/443 filtered). Not a negative signal; h3 is judged from Alt-Svc / HTTPS record
HTTPS DNS record (SVCB)optional
No HTTPS DNS record (type 65). Add HTTPS record for faster HTTP/3 discovery: salesforce.com IN HTTPS 1 . alpn="h3,h2"

Issues found (5)

NSEC3 parameters not RFC 9276 compliant

NSEC3 iterations must be 0 and salt must be empty per RFC 9276. Modern resolvers (Unbound 1.19+, BIND 9.19+) may treat your zone as insecure

Learn more

No IPv6 (AAAA) records

Your domain is not reachable via IPv6. IPv6 is becoming increasingly important

Learn more

Mail servers have no IPv6

Your mail servers are not reachable via IPv6

Learn more

No CAA records

CAA records determine which Certificate Authorities may issue SSL certificates

Learn more

No HTTP/3 (QUIC) support

HTTP/3 uses QUIC for faster, more resilient connections. Enable it on your web server and open UDP/443 in your firewall

Learn more

Recommendations (4)

Add IPv6 support

Request AAAA records from your hosting provider for your website. IPv6 is becoming increasingly important.

Impact: Makes your website accessible to IPv6-only networks

Add CAA records

Define which Certificate Authorities may issue SSL certificates, for example: "0 issue letsencrypt.org"

Impact: Prevents unauthorized certificate issuance

IPv6 for mail servers

Add AAAA records for your MX servers to support email via IPv6.

Impact: Improves email reachability for IPv6 networks

Enable HTTP/3 (QUIC)

Enable HTTP/3 for faster page loads and improved connection resilience. Nginx: add "listen 443 quic reuseport;" and "add_header Alt-Svc 'h3=":443"; ma=86400'". Caddy: HTTP/3 is enabled by default. Cloudflare: Enable under Speed → Protocol Optimization. Also add an HTTPS DNS record: example.com IN HTTPS 1 . alpn="h3,h2" Ensure UDP port 443 is open in your firewall (QUIC uses UDP, not TCP).

Impact: Faster page loads (0-RTT), better mobile performance, and connection migration between networks

About this report

IntoDNS.AI evaluates salesforce.com against DNS hygiene, email authentication, and transport-security best practices, scoring each check and rolling them up into an overall grade. Results reflect public DNS as observed on June 10, 2026 and may differ from a live scan if the domain has since changed its configuration.

Setup guides

Free tools

Want to check your own domain? Scan any domain on the homepage.

Last analyzed: June 10, 2026 · Google Public DNS