Auditing
broken-startup.example Example
F
34 / 100
15 pass · 14 warn · 33 fail
62 underlying signals · grouped into findings · scan completed 14:37 UTC
SPF, DKIM, DMARC and every supporting record that determines whether mail from this domain reaches the inbox or quietly disappears into spam.
Your DKIM key was generated when 1024-bit was the default. It still validates, but providers like Yahoo and Gmail are increasingly biased against shorter keys when reputation is borderline.
admin.google.com with super-admin rights.google._domainkey with the new value (replace the existing 1024-bit record, or stage it as google2024._domainkey first if you want a safe rollover).Wait 1 hour for propagation, then re-run this audit. The selector should report 2048-bit and remain a pass.
p=reject for full protection against spoofing.Never jump straight from quarantine to reject. Use these stages:
rua address) and check that everything sending mail on your behalf is aligned. Tools like Postmark, Valimail, or dmarcian make this readable.aspf=r and adkim=r to s (strict) only after you're sure every legitimate sender authenticates the exact sending domain.p=reject but keep pct=10 so only 10% of failing mail is actually rejected. Monitor for two weeks.v=DMARC1; p=reject; rua=mailto:dmarc@broken-startup.example; ruf=mailto:dmarc@broken-startup.example; pct=100; aspf=s; adkim=s
If you use ESPs (MailerLite, Mailchimp, etc.) that don't fully align, you must add them as authorised senders in SPF and ensure they DKIM-sign with your domain before going to reject.
r). Acceptable; tighten to strict (s) when moving to reject.MTA-STS lets sending servers know they should require TLS when delivering to your domain. Without it, attackers can force connections to downgrade to plain text and intercept mail.
_mta-sts.broken-startup.example with the value:
v=STSv1; id=20260524001The
id is a version stamp — increment it whenever you update the policy file.
https://mta-sts.broken-startup.example/.well-known/mta-sts.txt:
version: STSv1 mode: enforce mx: aspmx.l.google.com mx: *.aspmx.l.google.com max_age: 604800The host
mta-sts.broken-startup.example must serve over HTTPS with a valid certificate. On cPanel, create a subdomain pointing to the same docroot and ensure AutoSSL covers it.
Pair it with a TLS-RPT record so you receive reports when delivery fails: v=TLSRPTv1; rua=mailto:tls-reports@broken-startup.example at _smtp._tls.broken-startup.example.
Allow 1 hour for DNS, then re-run this audit. Both MTA-STS and TLS-RPT checks should pass.
Add a TXT record at _smtp._tls.broken-startup.example with the value:
v=TLSRPTv1; rua=mailto:tls-reports@broken-startup.example
Use a real, monitored mailbox (or alias) — reports are useful diagnostic data, especially after enabling MTA-STS in enforce mode.
Wait 30 minutes for DNS, then re-run this audit.
Nameservers, zone integrity, signed responses, certificate authorisation and TTL hygiene — the foundation everything above sits on.
DNSSEC adds cryptographic signatures to your DNS responses. Resolvers that validate signatures can detect if a response has been tampered with on the way to them. Without DNSSEC, an attacker who can intercept DNS queries can redirect your visitors to malicious servers without you knowing.
The path depends on where your DNS is hosted:
Allow 24 hours after the DS record is in place, then re-run this audit.
Certificate chain, supported protocols, redirects and the HTTP security headers that protect users in the browser.
The Strict-Transport-Security header tells browsers "always use HTTPS for this site, never plain HTTP, even if a user types http://". This blocks the entire class of SSL-stripping man-in-the-middle attacks.
Header always set Strict-Transport-Security "max-age=300"Nginx:
add_header Strict-Transport-Security "max-age=300" always;
max-age=86400. Monitor for 24 hours.max-age=31536000; includeSubDomainsOnly add
includeSubDomains after confirming every subdomain serves HTTPS.
preload and submit at hstspreload.org to be baked into browsers.HSTS is sticky — once a browser sees it, it remembers for the full max-age. Don't deploy with a 1-year max-age until you're certain.
Re-run this audit. Header should appear in the response.
nosniff. Prevents MIME-sniffing attacks.CSP defines exactly which sources can load scripts, styles, images, fonts, and so on. Get it wrong and your site breaks visibly. Always deploy in report-only mode first.
Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self'; frame-ancestors 'self'; report-uri /csp-report
Monitor reports for 2-4 weeks, adjust, then switch from Content-Security-Policy-Report-Only to Content-Security-Policy.
Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()
Registrar, lifecycle dates, transfer lock and delegation health — the administrative layer above all the technical configuration.
These are blocking delivery and exposing you to spoofing right now. Address in order of impact.
Without DNSSEC, DNS responses can be forged via cache poisoning. Gandi supports one-click signing — the DS record is pushed to the .digital registry automatically.
See the guide →A 60-second fix: a TXT record at _mta-sts, a single policy file at mta-sts.broken-startup.example, and a TLS-RPT record. Combined, they enforce TLS and give you delivery failure reports.
Start with a 5-minute max-age, validate nothing breaks, then ramp to 1 year with includeSubDomains. After 6 stable months, submit to the HSTS preload list.
See the guide →A failing report like this is hurting deliverability and exposing you to brand-impersonation attacks right now. ATEN can stabilise everything safely in a single afternoon. £150 + VAT, fixed.