DNS & Email Security Report for transavia.com

An automated analysis of transavia.com's DNS configuration, email authentication (SPF, DKIM, DMARC), DNSSEC chain, IPv6 readiness, and transport security. Last analyzed June 10, 2026.

B86/100
Good

Good security, minor improvements possible

Overall security score: 86/100 · Grade B (Good)

This report is a cached snapshot

DNS changes frequently. Run a fresh, interactive scan of transavia.com for live records, propagation, and deep checks.

Run a fresh live scan

Detailed check results

DNS

100%pass
  • A record presentcritical

    2 A record(s) found

  • AAAA record presentrecommended

    2 AAAA record(s) found

  • MX records presentrecommended

    1 MX record(s) found

  • NS records presentcritical

    2 NS record(s) found

  • SOA record presentcritical

    SOA record found

  • Multiple nameserversrecommended

    2 nameservers configured ✓

  • SOA serial formatinfo

    Serial 2406495605 (valid, managed DNS format)

  • SOA timers validinfo

    Refresh: 10000s ✓, Retry: 2400s ✓, Expire: 604800s ✓

  • No lame nameserversinfo

    2 NS all responding ✓

  • Glue records presentinfo

    No glue needed

  • WWW record configuredinfo

    A record matches apex

  • MX servers have PTR recordsinfo

    8 MX IPs all have PTR records ✓

  • MX servers have FCrDNSinfo

    8 MX IPs have forward-confirmed reverse DNS ✓

DNSSEC

100%pass
  • DNSSEC signedrecommended

    DNSSEC is enabled ✓

  • DNSSEC validation OKcritical

    DNSSEC validates correctly ✓

  • NSEC3 RFC 9276 compliantrecommended

    Not applicable (domain uses NSEC or is not DNSSEC-signed)

  • RRSIG signatures validrecommended

    RRSIG signature expires in 1 days — renewal needed

  • Modern DNSSEC algorithmoptional

    ECDSA P-256 (algorithm 13) — modern ✓

  • DS digest algorithm modernrecommended

    DS digest: SHA-256 — modern ✓

  • DNSKEY algorithm secureoptional

    DNSKEY: ECDSA P-256 — modern ✓

  • RRSIG TTL saferecommended

    Record TTLs do not exceed RRSIG validity periods ✓

  • Chain of trust completecritical

    Complete chain: DNSKEY + DS + RRSIG ✓

IPv6

100%pass
  • Website reachable via IPv6recommended

    2 AAAA record(s) ✓

  • Mail servers reachable via IPv6recommended

    1/1 MX server(s) with IPv6 ✓

  • Nameservers reachable via IPv6recommended

    2/2 NS server(s) with IPv6 ✓

Email security

83%pass
  • SPF record presentcritical

    v=spf1 ip4:212.113.85.48 include:spf.protection.outlook.com include:_spf.psm.knowbe4.com include:_spf.salesforce.com include:spf.topdesk.net include:_spf.eu.sparkpostmail.com ~all

  • SPF syntax validcritical

    SPF syntax is correct ✓

  • SPF policy strict (-all)recommended

    SPF uses ~all or ?all. Change to -all for strict enforcement

  • DKIM foundrecommended

    DKIM selector: selector1 ✓

  • DMARC record presentrecommended

    v=DMARC1;p=reject;rua=mailto:[email protected]

  • DMARC policy quarantine or betterrecommended

    DMARC policy: reject ✓

  • DMARC policy rejectoptional

    DMARC policy: reject ✓

  • BIMI record presentoptional

    No BIMI record. Add TXT at default._bimi with logo URL (requires DMARC p=quarantine+)

  • BIMI configuration validoptional

    No BIMI configured

  • MTA-STS record presentoptional

    No MTA-STS. Add TXT at _mta-sts and host policy at /.well-known/mta-sts.txt

  • MTA-STS policy enforcedoptional

    MTA-STS not configured

  • MX records validcritical

    1 MX record(s) ✓

  • MX domains use DNSSECrecommended

    1/1 MX domain(s) use DNSSEC ✓

  • MX DNSSEC validation OKrecommended

    MX DNSSEC validates correctly ✓

  • Mail servers not blacklistedcritical

    1 MX server(s) checked against 16 blacklists - clean ✓

  • No critical blacklist listingscritical

    No blacklist listings ✓

Web security

56%warning
  • CAA records presentrecommended

    11 CAA record(s) ✓

  • CAA policy strictoptional

    CAA limits certificate authorities ✓

  • TLSA records (DANE)optional

    No TLSA/DANE records. Add TLSA at _25._tcp.mail for DANE email encryption

  • DANE configuration validoptional

    No DANE configured

  • No sensitive info in TXTcritical

    No sensitive data leaked ✓

  • Verification records reviewedinfo

    7 verification records found (Google, Facebook/Meta, Microsoft 365, Apple, DocuSign...). Review these - they reveal your tech stack to attackers. Remove unused service verifications

  • HTTPS availablecritical

    HTTPS working (status 403) ✓

  • Valid certificatecritical

    Certificate chain is valid and trusted ✓

  • HTTP redirects to HTTPScritical

    HTTP automatically redirects to HTTPS ✓

  • HSTS enabledrecommended

    No HSTS header. Add Strict-Transport-Security header with max-age of at least 31536000 (1 year)

  • HSTS max-age >= 1 yearoptional

    HSTS not enabled

  • X-Frame-Options headerrecommended

    X-Frame-Options: SAMEORIGIN ✓

  • X-Content-Type-Options headerrecommended

    No X-Content-Type-Options header. Add X-Content-Type-Options: nosniff to prevent MIME sniffing

  • Content-Security-Policy headerrecommended

    No Content-Security-Policy header. Add CSP to prevent XSS and other injection attacks

  • Referrer-Policy headerrecommended

    Referrer-Policy: same-origin ✓

  • security.txt presentoptional

    No security.txt. Create /.well-known/security.txt with Contact and Expires fields (RFC 9116)

  • security.txt validoptional

    No security.txt configured

  • HTTP/3 (QUIC) supportedoptional

    HTTP/3 (QUIC v1) on port 443 Detection methods: QUIC probe: QUIC v1 (RFC 9000) (8ms)

  • QUIC UDP reachableoptional

    QUIC reachable on UDP/443 (8ms) — QUIC v1 (RFC 9000) ✓

  • HTTPS DNS record (SVCB)optional

    HTTPS record found but no h3 ALPN (h2)

Issues found (1)

Excessive verification TXT records

Your domain has many third-party verification records. These reveal your tech stack to potential attackers (reconnaissance). Review and remove unused verifications

Learn more

Recommendations (1)

Review verification TXT records

Your domain has many third-party verification records that reveal your tech stack (Google, Microsoft, Atlassian, etc.). Review each one: 1) Remove records for services no longer used 2) Consider if each service really needs domain verification 3) Use a subdomain for less critical services. This is an information disclosure issue - attackers can map your SaaS footprint.

Impact: Reduces reconnaissance surface and limits attacker knowledge of your infrastructure

About this report

IntoDNS.AI evaluates transavia.com against DNS hygiene, email authentication, and transport-security best practices, scoring each check and rolling them up into an overall grade. Results reflect public DNS as observed on June 10, 2026 and may differ from a live scan if the domain has since changed its configuration.

Want to check your own domain? Scan any domain on the homepage.

Last analyzed: June 10, 2026 · Google Public DNS