DNS & Email Security Report for wehkamp.nl

• A record presentcritical

  2 A record(s) found

• AAAA record presentrecommended

  2 AAAA record(s) found

• MX records presentrecommended

  2 MX record(s) found

• NS records presentcritical

  2 NS record(s) found

• SOA record presentcritical

  SOA record found

• Multiple nameserversrecommended

  2 nameservers configured ✓

• SOA serial formatinfo

  Serial 2406534515 (valid, managed DNS format)

• SOA timers validinfo

  Refresh: 10000s ✓, Retry: 2400s ✓, Expire: 604800s ✓

• No lame nameserversinfo

  2 NS all responding ✓

• Glue records presentinfo

  No glue needed

• WWW record configuredinfo

  A record matches apex

• MX servers have PTR recordsinfo

  2 MX IPs all have PTR records ✓

• MX servers have FCrDNSinfo

  2 MX IPs have forward-confirmed reverse DNS ✓

• DNSSEC signedrecommended

  DNSSEC is enabled ✓

• DNSSEC validation OKcritical

  DNSSEC validates correctly ✓

• NSEC3 RFC 9276 compliantrecommended

  Not applicable (domain uses NSEC or is not DNSSEC-signed)

• RRSIG signatures validrecommended

  RRSIG signature expires in 1 days — renewal needed

• Modern DNSSEC algorithmoptional

  ECDSA P-256 (algorithm 13) — modern ✓

• DS digest algorithm modernrecommended

  DS digest: SHA-256 — modern ✓

• DNSKEY algorithm secureoptional

  DNSKEY: ECDSA P-256 — modern ✓

• RRSIG TTL saferecommended

  Record TTLs do not exceed RRSIG validity periods ✓

• Chain of trust completecritical

  Complete chain: DNSKEY + DS + RRSIG ✓

• Website reachable via IPv6recommended

  2 AAAA record(s) ✓

• Mail servers reachable via IPv6recommended

  0/2 MX servers have IPv6. Add AAAA records for your mail servers

• Nameservers reachable via IPv6recommended

  2/2 NS server(s) with IPv6 ✓

• SPF record presentcritical

  v=spf1 redirect=a3djsigw._spf._d.mim.ec

• SPF syntax validcritical

  SPF syntax is correct ✓

• SPF policy strict (-all)recommended

  SPF uses ~all or ?all. Change to -all for strict enforcement

• DKIM foundrecommended

  DKIM selector: google ✓

• DMARC record presentrecommended

  v=DMARC1; p=reject; sp=reject; adkim=r; aspf=r; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

• DMARC policy quarantine or betterrecommended

  DMARC policy: reject ✓

• DMARC policy rejectoptional

  DMARC policy: reject ✓

• BIMI record presentoptional

  No BIMI record. Add TXT at default._bimi with logo URL (requires DMARC p=quarantine+)

• BIMI configuration validoptional

  No BIMI configured

• MTA-STS record presentoptional

  MTA-STS configured ✓

• MTA-STS policy enforcedoptional

  MTA-STS not configured

• MX records validcritical

  2 MX record(s) ✓

• MX domains use DNSSECrecommended

  0/1 MX domain(s) have DNSSEC. Ask your mail provider to enable DNSSEC

• MX DNSSEC validation OKrecommended

  DNSSEC not enabled for MX domains

• Mail servers not blacklistedcritical

  1 MX server(s) checked against 16 blacklists - clean ✓

• No critical blacklist listingscritical

  No blacklist listings ✓

• CAA records presentrecommended

  17 CAA record(s) ✓

• CAA policy strictoptional

  CAA limits certificate authorities ✓

• TLSA records (DANE)optional

  No TLSA/DANE records. Add TLSA at _25._tcp.mail for DANE email encryption

• DANE configuration validoptional

  No DANE configured

• No sensitive info in TXTcritical

  No sensitive data leaked ✓

• Verification records reviewedinfo

  4 verification record(s): Apple, Atlassian, Google, Microsoft 365. Consider if all are still needed

• HTTPS availablecritical

  HTTPS working (status 403) ✓

• Valid certificatecritical

  Certificate chain is valid and trusted ✓

• HTTP redirects to HTTPScritical

  HTTP automatically redirects to HTTPS ✓

• HSTS enabledrecommended

  HSTS enabled (max-age=31536000) ✓

• HSTS max-age >= 1 yearoptional

  max-age=31536000 (≥1 year) ✓

• X-Frame-Options headerrecommended

  X-Frame-Options: SAMEORIGIN ✓

• X-Content-Type-Options headerrecommended

  X-Content-Type-Options: nosniff ✓

• Content-Security-Policy headerrecommended

  No Content-Security-Policy header. Add CSP to prevent XSS and other injection attacks

• Referrer-Policy headerrecommended

  Referrer-Policy: same-origin ✓

• security.txt presentoptional

  No security.txt. Create /.well-known/security.txt with Contact and Expires fields (RFC 9116)

• security.txt validoptional

  No security.txt configured

• HTTP/3 (QUIC) supportedoptional

  HTTP/3 (QUIC v1) on port 443 Detection methods: QUIC probe: QUIC v1 (RFC 9000) (7ms) Alt-Svc header: h3=":443" Cache: 24h (ma=86400)

• QUIC UDP reachableoptional

  QUIC reachable on UDP/443 (7ms) — QUIC v1 (RFC 9000) ✓

• HTTPS DNS record (SVCB)optional

  No HTTPS DNS record (type 65). Add HTTPS record for faster HTTP/3 discovery: wehkamp.nl IN HTTPS 1 . alpn="h3,h2"

IPv6 for mail servers

Add AAAA records for your MX servers to support email via IPv6.

Impact: Improves email reachability for IPv6 networks