DNS & Email Security Report for spamhaus.org

An automated analysis of spamhaus.org's DNS configuration, email authentication (SPF, DKIM, DMARC), DNSSEC chain, IPv6 readiness, and transport security. Last analyzed June 10, 2026.

D63/100
Poor

Weak security, action needed

Overall security score: 63/100 · Grade D (Poor)

This report is a cached snapshot

DNS changes frequently. Run a fresh, interactive scan of spamhaus.org for live records, propagation, and deep checks.

Run a fresh live scan

Detailed check results

DNS

100%pass
  • A record presentcritical

    1 A record(s) found

  • AAAA record presentrecommended

    1 AAAA record(s) found

  • MX records presentrecommended

    2 MX record(s) found

  • NS records presentcritical

    6 NS record(s) found

  • SOA record presentcritical

    SOA record found

  • Multiple nameserversrecommended

    6 nameservers configured ✓

  • SOA serial formatinfo

    Serial 2026040102 (YYYYMMDDnn format)

  • SOA timers validinfo

    Refresh: 3600s ✓, Retry: 600s ✓, Expire: 2419200s ✓

  • No lame nameserversinfo

    6 NS all responding ✓

  • Glue records presentinfo

    4 glue record(s)

  • WWW record configuredinfo

    CNAME: www.spamhaus.org.cdn.cloudflare.net

  • MX servers have PTR recordsinfo

    1/2 MX IPs have PTR. Configure reverse DNS for your mail servers

  • MX servers have FCrDNSinfo

    1/2 MX IPs have FCrDNS. PTR hostnames must resolve back to the original IP.

DNSSEC

28%fail
  • DNSSEC signedrecommended

    DNSSEC not configured. Enable DNSSEC at your domain registrar to protect against DNS spoofing

  • DNSSEC validation OKcritical

    Not applicable (DNSSEC not enabled)

  • NSEC3 RFC 9276 compliantrecommended

    Not applicable (domain uses NSEC or is not DNSSEC-signed)

  • RRSIG signatures validrecommended

    Not applicable (DNSSEC not enabled)

  • Modern DNSSEC algorithmoptional

    Not applicable (DNSSEC not enabled)

  • DS digest algorithm modernrecommended

    Not applicable (no DS records or DNSSEC not enabled)

  • DNSKEY algorithm secureoptional

    Not applicable (DNSSEC not enabled)

  • RRSIG TTL saferecommended

    Not applicable (DNSSEC not enabled or no RRSIG data)

  • Chain of trust completecritical

    DNSSEC not enabled

IPv6

70%warning
  • Website reachable via IPv6recommended

    1 AAAA record(s) ✓

  • Mail servers reachable via IPv6recommended

    0/2 MX servers have IPv6. Add AAAA records for your mail servers

  • Nameservers reachable via IPv6recommended

    6/6 NS server(s) with IPv6 ✓

Email security

50%warning
  • SPF record presentcritical

    v=spf1 a:mail-out.spamhaus.org a:mail-out1.spamhaus.org a:mail-out2.spamhaus.org ~all

  • SPF syntax validcritical

    SPF syntax is correct ✓

  • SPF policy strict (-all)recommended

    SPF uses ~all or ?all. Change to -all for strict enforcement

  • DKIM foundrecommended

    No DKIM found. Configure DKIM signing with your email provider

  • DMARC record presentrecommended

    v=DMARC1; p=reject; pct=100; fo=1; ri=3600; rua=mailto:[email protected],mailto:[email protected]; ruf=mailto:[email protected]

  • DMARC policy quarantine or betterrecommended

    DMARC policy: reject ✓

  • DMARC policy rejectoptional

    DMARC policy: reject ✓

  • BIMI record presentoptional

    No BIMI record. Add TXT at default._bimi with logo URL (requires DMARC p=quarantine+)

  • BIMI configuration validoptional

    No BIMI configured

  • MTA-STS record presentoptional

    No MTA-STS. Add TXT at _mta-sts and host policy at /.well-known/mta-sts.txt

  • MTA-STS policy enforcedoptional

    MTA-STS not configured

  • MX records validcritical

    2 MX record(s) ✓

  • MX domains use DNSSECrecommended

    0/1 MX domain(s) have DNSSEC. Ask your mail provider to enable DNSSEC

  • MX DNSSEC validation OKrecommended

    DNSSEC not enabled for MX domains

  • Mail servers not blacklistedcritical

    1/1 MX server(s) blacklisted: mx.spamhaus.org on UCEPROTECT L3

  • No critical blacklist listingscritical

    No critical listings, but some servers are on blacklists

Web security

68%warning
  • CAA records presentrecommended

    No CAA records. Add CAA record to specify allowed certificate authorities

  • CAA policy strictoptional

    CAA not strict. Add CAA 0 issue "letsencrypt.org" (or your CA) to restrict issuance

  • TLSA records (DANE)optional

    No TLSA/DANE records. Add TLSA at _25._tcp.mail for DANE email encryption

  • DANE configuration validoptional

    No DANE configured

  • No sensitive info in TXTcritical

    No sensitive data leaked ✓

  • Verification records reviewedinfo

    3 verification record(s): Google, Slack, Zoom. Consider if all are still needed

  • HTTPS availablecritical

    HTTPS working (status 200) ✓

  • Valid certificatecritical

    Certificate chain is valid and trusted ✓

  • HTTP redirects to HTTPScritical

    HTTP automatically redirects to HTTPS ✓

  • HSTS enabledrecommended

    HSTS enabled (max-age=300, includeSubDomains, preload) ✓

  • HSTS max-age >= 1 yearoptional

    max-age=300 is too short. Set to 31536000 (1 year) or higher

  • X-Frame-Options headerrecommended

    X-Frame-Options: SAMEORIGIN ✓

  • X-Content-Type-Options headerrecommended

    X-Content-Type-Options: nosniff ✓

  • Content-Security-Policy headerrecommended

    Content-Security-Policy configured ✓

  • Referrer-Policy headerrecommended

    Referrer-Policy: strict-origin ✓

  • security.txt presentoptional

    security.txt found

  • security.txt validoptional

    security.txt missing required fields. Must have Contact: and Expires: per RFC 9116

  • HTTP/3 (QUIC) supportedoptional

    HTTP/3 (QUIC v1) on port 443 Detection methods: QUIC probe: inconclusive (no reply — trigger may be dropped or UDP/443 filtered) Alt-Svc header: h3=":443" Cache: 24h (ma=86400)

  • QUIC UDP reachableinfo

    QUIC probe inconclusive (no reply — trigger may be dropped or UDP/443 filtered). Not a negative signal; h3 is judged from Alt-Svc / HTTPS record

  • HTTPS DNS record (SVCB)optional

    No HTTPS DNS record (type 65). Add HTTPS record for faster HTTP/3 discovery: spamhaus.org IN HTTPS 1 . alpn="h3,h2"

Issues found (5)

Mail server reverse DNS missing

One or more MX server IPs do not have a PTR record. Mail receivers treat missing reverse DNS as a deliverability risk.

Learn more

DNSSEC not configured

DNSSEC provides extra protection against DNS spoofing

Learn more

Mail servers have no IPv6

Your mail servers are not reachable via IPv6

Learn more

DKIM not found

DKIM helps verify your outgoing email

Learn more

No CAA records

CAA records determine which Certificate Authorities may issue SSL certificates

Learn more

Recommendations (5)

Implement DNSSEC

Activate DNSSEC with your domain registrar and add the DS records to your parent zone. This protects against DNS spoofing attacks.

Impact: Significantly increases security and prevents DNS manipulation

Implement DKIM

Configure DKIM signing with your email provider and publish the DKIM public key in DNS.

Impact: Improves email deliverability and prevents spoofing

Configure reverse DNS for mail servers

Ask the owner of each mail server IP address to set a PTR record, for example 203.0.113.10 -> mail.yourdomain.com.

Impact: Improves mail-server trust signals and reduces deliverability risk

Add CAA records

Define which Certificate Authorities may issue SSL certificates, for example: "0 issue letsencrypt.org"

Impact: Prevents unauthorized certificate issuance

IPv6 for mail servers

Add AAAA records for your MX servers to support email via IPv6.

Impact: Improves email reachability for IPv6 networks

About this report

IntoDNS.AI evaluates spamhaus.org against DNS hygiene, email authentication, and transport-security best practices, scoring each check and rolling them up into an overall grade. Results reflect public DNS as observed on June 10, 2026 and may differ from a live scan if the domain has since changed its configuration.

Want to check your own domain? Scan any domain on the homepage.

Last analyzed: June 10, 2026 · Google Public DNS