Auditing
perfect-config.example Example
A+
99 / 100
62 pass · 0 warn · 0 fail
62 underlying signals · grouped into findings · scan completed 14:37 UTC
SPF, DKIM, DMARC and every supporting record that determines whether mail from this domain reaches the inbox or quietly disappears into spam.
Your DKIM key was generated when 1024-bit was the default. It still validates, but providers like Yahoo and Gmail are increasingly biased against shorter keys when reputation is borderline.
admin.google.com with super-admin rights.google._domainkey with the new value (replace the existing 1024-bit record, or stage it as google2024._domainkey first if you want a safe rollover).Wait 1 hour for propagation, then re-run this audit. The selector should report 2048-bit and remain a pass.
p=reject for full protection against spoofing.Never jump straight from quarantine to reject. Use these stages:
rua address) and check that everything sending mail on your behalf is aligned. Tools like Postmark, Valimail, or dmarcian make this readable.aspf=r and adkim=r to s (strict) only after you're sure every legitimate sender authenticates the exact sending domain.p=reject but keep pct=10 so only 10% of failing mail is actually rejected. Monitor for two weeks.v=DMARC1; p=reject; rua=mailto:dmarc@perfect-config.example; ruf=mailto:dmarc@perfect-config.example; pct=100; aspf=s; adkim=s
If you use ESPs (MailerLite, Mailchimp, etc.) that don't fully align, you must add them as authorised senders in SPF and ensure they DKIM-sign with your domain before going to reject.
r). Acceptable; tighten to strict (s) when moving to reject.MTA-STS lets sending servers know they should require TLS when delivering to your domain. Without it, attackers can force connections to downgrade to plain text and intercept mail.
_mta-sts.perfect-config.example with the value:
v=STSv1; id=20260524001The
id is a version stamp — increment it whenever you update the policy file.
https://mta-sts.perfect-config.example/.well-known/mta-sts.txt:
version: STSv1 mode: enforce mx: aspmx.l.google.com mx: *.aspmx.l.google.com max_age: 604800The host
mta-sts.perfect-config.example must serve over HTTPS with a valid certificate. On cPanel, create a subdomain pointing to the same docroot and ensure AutoSSL covers it.
Pair it with a TLS-RPT record so you receive reports when delivery fails: v=TLSRPTv1; rua=mailto:tls-reports@perfect-config.example at _smtp._tls.perfect-config.example.
Allow 1 hour for DNS, then re-run this audit. Both MTA-STS and TLS-RPT checks should pass.
Add a TXT record at _smtp._tls.perfect-config.example with the value:
v=TLSRPTv1; rua=mailto:tls-reports@perfect-config.example
Use a real, monitored mailbox (or alias) — reports are useful diagnostic data, especially after enabling MTA-STS in enforce mode.
Wait 30 minutes for DNS, then re-run this audit.
Nameservers, zone integrity, signed responses, certificate authorisation and TTL hygiene — the foundation everything above sits on.
DNSSEC adds cryptographic signatures to your DNS responses. Resolvers that validate signatures can detect if a response has been tampered with on the way to them. Without DNSSEC, an attacker who can intercept DNS queries can redirect your visitors to malicious servers without you knowing.
The path depends on where your DNS is hosted:
Allow 24 hours after the DS record is in place, then re-run this audit.
Certificate chain, supported protocols, redirects and the HTTP security headers that protect users in the browser.
The Strict-Transport-Security header tells browsers "always use HTTPS for this site, never plain HTTP, even if a user types http://". This blocks the entire class of SSL-stripping man-in-the-middle attacks.
Header always set Strict-Transport-Security "max-age=300"Nginx:
add_header Strict-Transport-Security "max-age=300" always;
max-age=86400. Monitor for 24 hours.max-age=31536000; includeSubDomainsOnly add
includeSubDomains after confirming every subdomain serves HTTPS.
preload and submit at hstspreload.org to be baked into browsers.HSTS is sticky — once a browser sees it, it remembers for the full max-age. Don't deploy with a 1-year max-age until you're certain.
Re-run this audit. Header should appear in the response.
nosniff. Prevents MIME-sniffing attacks.CSP defines exactly which sources can load scripts, styles, images, fonts, and so on. Get it wrong and your site breaks visibly. Always deploy in report-only mode first.
Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self'; frame-ancestors 'self'; report-uri /csp-report
Monitor reports for 2-4 weeks, adjust, then switch from Content-Security-Policy-Report-Only to Content-Security-Policy.
Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()
Registrar, lifecycle dates, transfer lock and delegation health — the administrative layer above all the technical configuration.
Every signal passed cleanly. Your mail authentication, transport security, web headers and DNS setup are all configured to current best practice. Re-run this audit quarterly to catch drift — or set up monitoring (v07) and we’ll watch it for you.
Configurations drift. Monitoring (coming v07) watches your records 24/7 and alerts you the moment something changes — expired cert, DNS edit, blacklist hit. Free with an ATEN account.