Domain Risk Scanner

Comprehensive domain security scan covering SSL/TLS, security headers, email authentication, DNS health, breach history, and privacy compliance with a risk score.

## What the Domain Risk Scanner Checks This tool runs a broad security posture scan against a single domain and rolls the results into a readable risk picture. Instead of checking one thing in isolation, it samples the layers an attacker (or a careless misconfiguration) would touch first: - **SSL/TLS** — certificate validity, expiry, chain, and protocol/cipher health. - **Security headers** — HSTS, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy. - **Email authentication** — SPF, DKIM, and DMARC records that stop your domain being spoofed. - **DNS health** — record sanity, nameserver setup, and common gaps. - **HTTPS enforcement** — whether HTTP redirects cleanly to HTTPS. - **Breach history and reputation** — known exposure and blocklist signals. ## Why a Combined View Matters Individually, each finding is minor. Together they describe real exposure. A site with a valid certificate but no HSTS and a `~all` SPF record is still trivially phishable and downgrade-able. Scanning everything at once lets you triage: fix the high-impact, low-effort items (DMARC enforcement, HSTS, missing CSP) before chasing edge cases. ## When to Use It - Before launching a new domain or subdomain. - During vendor or acquisition due diligence on a third-party domain. - As a periodic hygiene check — certificates expire and DNS drifts. ## Reading the Results Treat the score as a prompt, not a verdict. Email authentication and HTTPS enforcement gaps are the items most often weaponized in real attacks, so weight those first. For a deeper look at any certificate the scan flags, the [X.509 Certificate Decoder](/tools/security/x509-decoder) breaks a cert down field by field, including its validity window and signature algorithm.

Loading interactive tool...

JavaScript Required

This interactive tool requires JavaScript to function. Please enable JavaScript in your browser to use the full features.

The tool description and documentation above provide information about this tool's capabilities. For the best experience, please enable JavaScript and refresh the page.

What the Domain Risk Scanner Checks

This tool runs a broad security posture scan against a single domain and rolls the results into a readable risk picture. Instead of checking one thing in isolation, it samples the layers an attacker (or a careless misconfiguration) would touch first:

SSL/TLS — certificate validity, expiry, chain, and protocol/cipher health.
Security headers — HSTS, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy.
Email authentication — SPF, DKIM, and DMARC records that stop your domain being spoofed.
DNS health — record sanity, nameserver setup, and common gaps.
HTTPS enforcement — whether HTTP redirects cleanly to HTTPS.
Breach history and reputation — known exposure and blocklist signals.

Why a Combined View Matters

Individually, each finding is minor. Together they describe real exposure. A site with a valid certificate but no HSTS and a ~all SPF record is still trivially phishable and downgrade-able. Scanning everything at once lets you triage: fix the high-impact, low-effort items (DMARC enforcement, HSTS, missing CSP) before chasing edge cases.

When to Use It

Before launching a new domain or subdomain.
During vendor or acquisition due diligence on a third-party domain.
As a periodic hygiene check — certificates expire and DNS drifts.

Reading the Results

Treat the score as a prompt, not a verdict. Email authentication and HTTPS enforcement gaps are the items most often weaponized in real attacks, so weight those first. For a deeper look at any certificate the scan flags, the X.509 Certificate Decoder breaks a cert down field by field, including its validity window and signature algorithm.

Building something secure?

I ship production-ready SaaS apps in 6 weeks — built secure from day one by someone who knows how attackers think. Or get a pen test if you already shipped.

Learn About Secure MVP Explore Penetration Testing

ℹ️ Disclaimer

This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.