D-
bybit-kod.pro
62/100
0 of 1 fixed
All 1 critical issue marked as fixed
Re-scan to confirm and update your score.
1
Set up email authentication (DMARC, SPF, DKIM)
DMARC / Email Security
1–2 days

Without email authentication, anyone can send emails that appear to come from bybit-kod.pro. This is the most common vector for phishing attacks targeting employees and customers. DMARC, SPF, DKIM are not configured.

NIST CSFPR.AC-7
Email authentication is a required access control
ISO 27001A.13.2.1
Information transfer policies require email security controls
HIPAA§164.312(e)
Transmission security for electronic PHI
How to fix this
1Add SPF record to DNS: v=spf1 include:_spf.google.com ~all (adjust for your email provider)
2Configure DKIM signing with your email provider and publish the public key in DNS
3Add DMARC record: v=DMARC1; p=quarantine; rua=mailto:[email protected]
4Monitor DMARC reports for 2–4 weeks, then upgrade policy to p=reject
TLS Version
TLSv1.3
TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
DMARC Policy
Not configured
Issues: No DMARC record found — email spoofing is not prevented; No SPF record found; No DKIM records found for common selectors (domain may use custom selectors — this is not a confirmed gap).
SPF Record
Missing
No SPF record found.
Security Headers
0/5 present
Missing: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy
HSTS
Not enabled
Strict-Transport-Security header is missing. Connections can be downgraded to HTTP via man-in-the-middle attacks. If this domain is in the browser HSTS preload list, browsers may still enforce HTTPS — but the header should be present for full coverage.
SSL Certificate
Valid
Strengths: Certificate valid, 81 days remaining; Issued by Google Trust Services; 6 certificates logged in CT; Certificates from 2 CAs: Google Trust Services, SSL Corporation. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.
DNSSEC
Not enabled
Strengths: 2 nameservers configured (nucum.ns.cloudflare.com, dion.ns.cloudflare.com); SOA record present and MNAME consistent with NS set; Zone transfers properly restricted on all nameservers; Address records present: 2 A record(s), 2 AAAA record(s). Issues: All nameservers are from a single provider (cloudflare.com) — a provider outage takes down the domain; DNSSEC not configured — DNS responses can be spoofed or tampered with in transit (DNS cache poisoning).