RSS

Show HN: I built a tool to consolidate common domain security checks

py931 pts0 comments

Domain Intelligence Scanner – DNS, Email, SSL & Website Security Audit | SwissArmyTechTools

Domain Intelligence Scanner

Complete security assessment for any domain — DNS, DNSSEC, email authentication, SSL/TLS certificates, and website security headers in a single scan. Built for MSPs, IT admins, and security professionals.

Domain name to scan

Scan Domain

google.com<br>cloudflare.com<br>microsoft.com<br>github.com

Local preview mode — Showing example data for cloudflare.com. Deploy to Cloudflare Pages to scan real domains.

Scanning …

DNS & DNSSEC

✉Email Security (SPF, DKIM, DMARC)

SSL/TLS Certificate

Website Security Headers

Results for

Scan another domain

Overall Security Score

Executive Summary

✓ Strengths

! Issues Found

→ Top Recommended Actions

Security Findings

Recommendations

DNS Security

Email Security

SSL / TLS

Website Security

Deep Dive with Individual Tools

How the Domain Intelligence Scanner works

Enter any domain name and the scanner performs five parallel security checks simultaneously:

DNS & DNSSEC — Retrieves nameservers, CAA records, and verifies DNSSEC signing via two independent resolvers (Cloudflare 1.1.1.1 and Google Public DNS)

Email Security — Queries SPF, DKIM (scanning common selectors), and DMARC records and analyses policy strength

SSL/TLS — Performs a live TLS handshake to inspect the certificate, verify validity, check expiry, and detect HSTS configuration

Security Headers — Fetches the HTTP response headers and scores CSP, HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy

Results are scored using a weighted model — Email Security (30%), DNS Security (25%), SSL/TLS (25%), Website Security (20%) — and combined into an overall score and A–F grade.

Common uses

The Domain Intelligence Scanner is designed for security-minded assessments where you need a fast, structured view of a domain's security posture:

MSP prospect assessments — run before a sales or onboarding meeting to understand a client's security gaps

Email deliverability troubleshooting — instantly see whether SPF, DKIM, and DMARC are correctly configured

Security baseline checks — verify a domain meets minimum security standards after a migration or handoff

Pre-launch validation — confirm all security controls are in place before launching a new website or domain

Competitive research — check competitors' or vendor domains for security posture

Security Guidance

Frequently Asked Questions

Everything you need to know about domain security assessment, scoring, and remediation — from SPF and DMARC to DNSSEC and security headers.

What does the Domain Intelligence Scanner check? +

The scanner performs five parallel checks: DNS security (DNSSEC status, nameserver redundancy, CAA records), email security (SPF, DKIM, DMARC policy analysis), SSL/TLS certificate health (validity, expiry, TLS version, HSTS), website security headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), and DNSSEC chain-of-trust validation via two independent resolvers — Cloudflare 1.1.1.1 and Google Public DNS. Results are scored by category, combined into an overall A–F grade, and presented as an executive summary, prioritised findings, and actionable recommendations.

Do I need DNSSEC? +

DNSSEC is not required but is strongly recommended for any domain that matters. Without it, DNS responses can be forged on the network path — silently redirecting your users to a malicious server without any visible warning (DNS cache poisoning). Cloudflare, Amazon Route 53, and Google Cloud DNS all support DNSSEC with a single toggle. The main extra step is publishing the DS record at your registrar, which typically takes 15–30 minutes.

What is a good domain security score? +

Scores of 90–100 (Grade A) indicate excellent security posture. Scores of 75–89 (Grade B) represent good security with minor improvements available. Scores of 60–74 (Grade C) show fair security with several gaps to address. Scores of 45–59 (Grade D) indicate poor security with significant issues present. Scores below 45 (Grade F) indicate critical deficiencies requiring immediate attention. Most production domains without dedicated security hardening score in the C–D range.

What are CAA records and why do they matter? +

CAA (Certification Authority Authorization) records specify which Certificate Authorities are permitted to issue SSL certificates for your domain. For example, 0 issue "letsencrypt.org" restricts issuance to Let's Encrypt only. Without CAA records, any CA in the world can issue a certificate for your domain — a risk if a CA is compromised or makes an issuance error. They take about 15 minutes to add at your DNS provider and require no changes to your web server or application.

How is the overall score calculated? +

The overall score is a weighted average of four category scores: Email Security (30%), DNS Security (25%), SSL/TLS (25%), and Website Security (20%). Email is weighted...

security domain email dnssec website scanner

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.