← All topics

Email spoofing and DNS you never configured

SPF, DMARC, CAA, and the dangling subdomain someone can claim.

Can anyone send email that looks like it came from your domain?

Without an SPF record, a scammer can email your customers as you and it lands in the inbox. How spoofing works, how to check, and the one line that fixes it.

Your DMARC says p=none. Do you know what that allows?

p=none watches spoofed mail go out and does nothing to stop it. What the policy really means, why most domains get stuck here, and how to move to enforcement.

What is subdomain takeover, and is one of yours dangling right now?

A forgotten subdomain pointing at a dead service is a hostile page in your name. How dangling CNAME takeover works, where they hide, and how to check.

Why a missing CAA record lets the wrong authority issue your certs

Without a CAA record, any certificate authority on earth can mint a valid TLS cert for your domain. What CAA does, why it matters, and the one line to add.

Your robots.txt is telling crawlers exactly where /admin lives

Disallow: /admin doesn't hide your admin panel. It points right at it. What robots.txt is really for, what attackers read it for, and how to fix it.

MTA-STS and TLS-RPT: the email-in-transit protection you probably skipped

SPF and DMARC stop spoofing, but not a network attacker downgrading your inbound mail to plaintext. MTA-STS and TLS-RPT do. What they are, how to check, and how to publish them.

Your SPF record exists, but does it actually work? The errors that silently switch it off

An SPF record can be present and still enforce nothing: two records, more than ten lookups, dead includes. Each one is a permerror that makes receivers ignore your SPF entirely. The silent failure modes, and how to fix them.

Dead MX, private IPs, dangling nameservers: the DNS records pointing at nothing

DNS records that point at hosts which no longer exist are more than tidiness, a dead MX drops mail and invites impersonation, a private IP in public DNS leaks your internal layout, a dangling nameserver is a takeover risk. The pointers-to-nothing, explained.

Find it before someone else does.

Paste your domain. The grade and issue count are free, and you'll see in a couple of minutes exactly what's reachable from outside.