DNS & Email Security Report for shell.com

• A record presentcritical

  1 A record(s) found

• AAAA record presentrecommended

  No AAAA records

• MX records presentrecommended

  1 MX record(s) found

• NS records presentcritical

  4 NS record(s) found

• SOA record presentcritical

  SOA record found

• Multiple nameserversrecommended

  4 nameservers configured ✓

• SOA serial formatinfo

  Serial 2959658 (valid, managed DNS format)

• SOA timers validinfo

  Refresh: 10800s ✓, Retry: 1080s ✓, Expire: 2419200s ✓

• No lame nameserversinfo

  4 NS all responding ✓

• Glue records presentinfo

  3 glue record(s)

• WWW record configuredinfo

  CNAME: www.nic.shell.edgekey.net

• MX servers have PTR recordsinfo

  4 MX IPs all have PTR records ✓

• MX servers have FCrDNSinfo

  4 MX IPs have forward-confirmed reverse DNS ✓

• DNSSEC signedrecommended

  DNSSEC is enabled ✓

• DNSSEC validation OKcritical

  DNSSEC validates correctly ✓

• NSEC3 RFC 9276 compliantrecommended

  NSEC3 not RFC 9276 compliant: iterations=10 (must be 0), salt="db52b3643b884c39d23e" (must be empty). Modern resolvers may reject this zone

• RRSIG signatures validrecommended

  RRSIG signature expires in 3 days — renewal needed

• Modern DNSSEC algorithmoptional

  RSA/SHA-256 (algorithm 8) — acceptable ✓

• DS digest algorithm modernrecommended

  DS digest: SHA-256 — modern ✓

• DNSKEY algorithm secureoptional

  DNSKEY: RSA/SHA-256 — acceptable, consider ECDSA (13) or Ed25519 (15)

• RRSIG TTL saferecommended

  Record TTLs do not exceed RRSIG validity periods ✓

• Chain of trust completecritical

  Complete chain: DNSKEY + DS + RRSIG ✓

• Website reachable via IPv6recommended

  No IPv6 for website. Add AAAA record pointing to your IPv6 address

• Mail servers reachable via IPv6recommended

  0/1 MX servers have IPv6. Add AAAA records for your mail servers

• Nameservers reachable via IPv6recommended

  0/4 NS servers have IPv6. Contact your DNS provider about IPv6 support

• SPF record presentcritical

  v=spf1 exists:_i.%{i}._h.%{h}._o.%{o}._spf.shell.com include:_spf.shell.com include:_spf1.shell.com include:spf.protection.outlook.com include:_spf.salesforce.com -all

• SPF syntax validcritical

  SPF syntax is correct ✓

• SPF policy strict (-all)recommended

  SPF uses -all (hard fail) ✓

• DKIM foundrecommended

  DKIM selector: selector1 ✓

• DMARC record presentrecommended

  v=DMARC1; p=quarantine; sp=reject; fo=1; pct=100; ruf=mailto:[email protected]; rua=mailto:[email protected]

• DMARC policy quarantine or betterrecommended

  DMARC policy: quarantine ✓

• DMARC policy rejectoptional

  DMARC policy: quarantine. Set p=reject for maximum protection

• BIMI record presentoptional

  BIMI logo: https://vmc.digicert.com/7f899f0a-0de4-4ece-b99e-997ae6f3d169.svg

• BIMI configuration validoptional

  BIMI correctly configured ✓

• MTA-STS record presentoptional

  MTA-STS configured ✓

• MTA-STS policy enforcedoptional

  MTA-STS not configured

• MX records validcritical

  1 MX record(s) ✓

• MX domains use DNSSECrecommended

  1/1 MX domain(s) use DNSSEC ✓

• MX DNSSEC validation OKrecommended

  MX DNSSEC validates correctly ✓

• Mail servers not blacklistedcritical

  1 MX server(s) checked against 16 blacklists - clean ✓

• No critical blacklist listingscritical

  No blacklist listings ✓

• CAA records presentrecommended

  9 CAA record(s) ✓

• CAA policy strictoptional

  CAA limits certificate authorities ✓

• TLSA records (DANE)optional

  6 DANE record(s) - configured according to best practices

• DANE configuration validoptional

  DANE records meet best practices ✓

• No sensitive info in TXTcritical

  No sensitive data leaked ✓

• Verification records reviewedinfo

  7 verification records found (Atlassian, Google, MongoDB, Adobe IDP, DocuSign...). Review these - they reveal your tech stack to attackers. Remove unused service verifications

• HTTPS availablecritical

  HTTPS working (status 403) ✓

• Valid certificatecritical

  Certificate chain is valid and trusted ✓

• HTTP redirects to HTTPScritical

  HTTP automatically redirects to HTTPS ✓

• HSTS enabledrecommended

  HSTS enabled (max-age=31536000, preload) ✓

• HSTS max-age >= 1 yearoptional

  max-age=31536000 (≥1 year) ✓

• X-Frame-Options headerrecommended

  No X-Frame-Options header. Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking

• X-Content-Type-Options headerrecommended

  X-Content-Type-Options: nosniff ✓

• Content-Security-Policy headerrecommended

  No Content-Security-Policy header. Add CSP to prevent XSS and other injection attacks

• Referrer-Policy headerrecommended

  No Referrer-Policy header. Add Referrer-Policy: strict-origin-when-cross-origin

• security.txt presentoptional

  No security.txt. Create /.well-known/security.txt with Contact and Expires fields (RFC 9116)

• security.txt validoptional

  No security.txt configured

• HTTP/3 (QUIC) supportedoptional

  HTTP/3 (QUIC v1) on port 443 Detection methods: QUIC probe: inconclusive (no reply — trigger may be dropped or UDP/443 filtered) Alt-Svc header: h3=":443" Cache: 26h (ma=93600)

• QUIC UDP reachableinfo

  QUIC probe inconclusive (no reply — trigger may be dropped or UDP/443 filtered). Not a negative signal; h3 is judged from Alt-Svc / HTTPS record

• HTTPS DNS record (SVCB)optional

  No HTTPS DNS record (type 65). Add HTTPS record for faster HTTP/3 discovery: shell.com IN HTTPS 1 . alpn="h3,h2"

Add IPv6 support

Request AAAA records from your hosting provider for your website. IPv6 is becoming increasingly important.

Impact: Makes your website accessible to IPv6-only networks

IPv6 for mail servers

Add AAAA records for your MX servers to support email via IPv6.

Impact: Improves email reachability for IPv6 networks

Review verification TXT records

Your domain has many third-party verification records that reveal your tech stack (Google, Microsoft, Atlassian, etc.). Review each one: 1) Remove records for services no longer used 2) Consider if each service really needs domain verification 3) Use a subdomain for less critical services. This is an information disclosure issue - attackers can map your SaaS footprint.

Impact: Reduces reconnaissance surface and limits attacker knowledge of your infrastructure